Malware Analysis Report

2025-01-18 23:44

Sample ID 241106-kzvbvsxdlc
Target Windowkill.zip
SHA256 a9a387482a32f5aeb135b0713ecf60e04680852a0f8f92729e53c837996f1d30
Tags
steam defense_evasion discovery persistence phishing privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a9a387482a32f5aeb135b0713ecf60e04680852a0f8f92729e53c837996f1d30

Threat Level: Likely malicious

The file Windowkill.zip was found to be: Likely malicious.

Malicious Activity Summary

steam defense_evasion discovery persistence phishing privilege_escalation

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Blocklisted process makes network request

Checks installed software on the system

Adds Run key to start application

Enumerates connected drives

Detected potential entity reuse from brand STEAM.

Drops file in System32 directory

Drops file in Program Files directory

Subvert Trust Controls: Mark-of-the-Web Bypass

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Event Triggered Execution: Installer Packages

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

NTFS ADS

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Modifies registry class

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 09:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1487s

Max time network

1473s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Windowkill\HOW TO RUN GAME!!.txt"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4716 wrote to memory of 4724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 4716 wrote to memory of 4724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Windowkill\HOW TO RUN GAME!!.txt"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Windowkill\HOW TO RUN GAME!!.txt

Network

Country Destination Domain Proto
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1452s

Max time network

1470s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_api64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_api64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1401s

Max time network

1174s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_api64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_api64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241023-en

Max time kernel

1473s

Max time network

1495s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\build_id.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 3704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 2032 wrote to memory of 3704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\build_id.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\build_id.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1473s

Max time network

1491s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\force_account_name.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 2036 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\force_account_name.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\force_account_name.txt

Network

Country Destination Domain Proto
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1454s

Max time network

1471s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\supported_languages.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4160 wrote to memory of 484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 4160 wrote to memory of 484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\supported_languages.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\supported_languages.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1456s

Max time network

1476s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\windowkill-opengl.bat"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\windowkill-vulkan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\windowkill-vulkan.exe
PID 1264 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\windowkill-vulkan.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\windowkill-opengl.bat"

C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\windowkill-vulkan.exe

windowkill-vulkan.exe --rendering-driver opengl3

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1800s

Max time network

1756s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Windowkill.zip"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent" C:\Users\Admin\Downloads\SteamSetup.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand STEAM.

phishing steam

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Steam\package\tmp\graphics\support_flag_bottom_hover.tga_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_dpad_left_md.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_mouse_r_click_sm.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_mouse_scroll_down_md.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_outlined_button_b_sm.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_lstick_down.svg_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_outlined_button_circle.svg_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\graphics\btnStdRight.tga_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\steam\cached\Receipt_Server_Timeout_BFS.res_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_xboxone_gamepad_fps.vdf_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\d3dcompiler_47.dll_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\switch_controller_korean.txt_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_rstick_down.svg_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_ps4_gamepad_flickstick.vdf_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\graphics\streaming_shortcut_16.tga_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_090_media_0030.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_button_capture_md.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_r2_soft.svg_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_lfn_sm.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_050_menu_0040.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_lt_md.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_button_a_lg-1.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\public\c2.tga_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_right.svg_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_button_minus.svg_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0344.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\clientui\vr\rendermodels\steamvr_quad_2\steam_quad.tga_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_md.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_p4_sm.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_110_social_0090.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\controller_config_controller_apple.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_050_menu_0307.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\hp_r4_sm.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_dpad_swipe_sm.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_lt_soft.svg_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_rt_soft_sm.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0357.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_r_right_lg.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_color_button_x_sm.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_dpad_up_sm.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\steamui\movies\steamdeck_thumbstick_move.webm_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\mr.pak_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_040_act_0340.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_button_minus_sm.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_dpad_left_sm.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_rb.svg_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\resource\layout\sitelicenselockdialog.layout_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\resource\steamscheme.res_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\resource\vgui_italian.txt_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\resource\platform_brazilian.txt_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\hp_l4_lg.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_outlined_button_square.svg_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_rstick_up_md.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_swipe.svg_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\steam\cached\offline_english.html_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\steam\cached\subchangepasswordenterpassword.res_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\Steam.exe C:\Users\Admin\Downloads\SteamSetup.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\friends\trackerui_korean.txt_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\public\steamclean_ukrainian.txt_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\public\steamui_thai.txt_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox360_button_select_sm.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_dpad_swipe_lg.png_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\friends\addfriendresultsubpanel.res_ C:\Program Files (x86)\Steam\steam.exe N/A
File created C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_ C:\Program Files (x86)\Steam\steam.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping27612_82134012\manifest.fingerprint C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping27612_82134012\_platform_specific\win_x64\widevinecdm.dll.sig C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping27612_82134012\_platform_specific\win_x64\widevinecdm.dll C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping27612_82134012\LICENSE C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping27612_82134012\manifest.json C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping27612_82134012\_metadata\verified_contents.json C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\SteamSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Steam\steam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Steam\steam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Steam\bin\gldriverquery.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Steam\steamerrorreporter.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Steam\steam.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Steam\steam.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Steam\steam.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Steam\steam.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Steam\steam.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133753576289530498" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\Shell\Open C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\steam C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\steamlink C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\DefaultIcon C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\Shell\Open C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol" C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\steam C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\"" C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\Shell\Open\Command C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol" C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\"" C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\"" C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\DefaultIcon\ = "steam.exe" C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\steamlink C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\ = "URL:steam protocol" C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\DefaultIcon C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\Shell C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\URL Protocol C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\ = "URL:steamlink protocol" C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\Shell C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe" C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe" C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\"" C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\Shell\Open\Command C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\URL Protocol C:\Program Files (x86)\Steam\bin\steamservice.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\DefaultIcon\ = "steam.exe" C:\Program Files (x86)\Steam\bin\steamservice.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Program Files (x86)\Steam\steam.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files (x86)\Steam\steam.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files (x86)\Steam\steam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\Steam\steam.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Steam\steam.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Steam\steam.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SteamSetup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files (x86)\Steam\steam.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 1548 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO0236C238\windowkill-vulkan.exe
PID 4896 wrote to memory of 1548 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO0236C238\windowkill-vulkan.exe
PID 3828 wrote to memory of 1856 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 1856 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 3788 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 436 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 436 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3828 wrote to memory of 4428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Windowkill.zip"

C:\Users\Admin\AppData\Local\Temp\7zO0236C238\windowkill-vulkan.exe

"C:\Users\Admin\AppData\Local\Temp\7zO0236C238\windowkill-vulkan.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Documents\Windowkill\Windowkill\Windowkill\windowkill-vulkan.exe

"C:\Users\Admin\Documents\Windowkill\Windowkill\Windowkill\windowkill-vulkan.exe"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff9e980cc40,0x7ff9e980cc4c,0x7ff9e980cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=1816 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=2132 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=2196 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3536,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=3540 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4620 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4632,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4584 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4948,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4960 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4960 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4092 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4832 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4964 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5200,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4704 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5212,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4684 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5032,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=5108 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4292,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4600 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3332,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5432,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=5452 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5444,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=5592 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5744,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=3244 /prefetch:8

C:\Users\Admin\Downloads\SteamSetup.exe

"C:\Users\Admin\Downloads\SteamSetup.exe"

C:\Program Files (x86)\Steam\bin\steamservice.exe

"C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install

C:\Program Files (x86)\Steam\steam.exe

"C:\Program Files (x86)\Steam\steam.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5796,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=3232 /prefetch:8

C:\Program Files (x86)\Steam\steam.exe

"C:\Program Files (x86)\Steam\steam.exe"

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=27556" "-buildid=1730853027" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1730853027 --initial-client-data=0x29c,0x2a0,0x2a4,0x298,0x2a8,0x7ff9e911af00,0x7ff9e911af0c,0x7ff9e911af18

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1730853027 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1548,i,18375512494182881554,5678498178744503711,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1552 --mojo-platform-channel-handle=1540 /prefetch:2

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1730853027 --steamid=0 --field-trial-handle=2292,i,18375512494182881554,5678498178744503711,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2296 --mojo-platform-channel-handle=2288 /prefetch:11

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004B8

C:\Program Files (x86)\Steam\bin\gldriverquery64.exe

.\bin\gldriverquery64.exe

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1730853027 --steamid=0 --field-trial-handle=2760,i,18375512494182881554,5678498178744503711,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2764 --mojo-platform-channel-handle=2756 /prefetch:13

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1730853027 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,18375512494182881554,5678498178744503711,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3120 --mojo-platform-channel-handle=3112 /prefetch:1

C:\Program Files (x86)\Steam\bin\gldriverquery.exe

.\bin\gldriverquery.exe

C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe

.\bin\vulkandriverquery64.exe

C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe

.\bin\vulkandriverquery.exe

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1730853027 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3700,i,18375512494182881554,5678498178744503711,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3704 --mojo-platform-channel-handle=3696 /prefetch:1

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1730853027 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3732,i,18375512494182881554,5678498178744503711,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3832 --mojo-platform-channel-handle=3848 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6040,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4220 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4556,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=5988 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6252,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=6248 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6240,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=6380 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6244,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=6232 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6324,i,6471348633338055283,17781070199840874577,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=6236 /prefetch:1

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1730853027 --steamid=0 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4172,i,18375512494182881554,5678498178744503711,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=4176 --mojo-platform-channel-handle=4168 /prefetch:10

C:\Program Files (x86)\Steam\steamerrorreporter.exe

C:\Program Files (x86)\Steam\steam

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1730853027 --steamid=0 --field-trial-handle=4160,i,18375512494182881554,5678498178744503711,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2060 --mojo-platform-channel-handle=4168 /prefetch:14

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
GB 104.86.110.104:443 tcp
GB 104.86.110.104:443 tcp
GB 92.123.128.177:443 r.bing.com tcp
GB 92.123.128.177:443 r.bing.com tcp
GB 92.123.128.177:443 r.bing.com tcp
GB 92.123.128.177:443 r.bing.com tcp
GB 92.123.128.177:443 r.bing.com tcp
GB 92.123.128.177:443 r.bing.com tcp
US 52.168.117.171:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.128.155:443 www.bing.com tcp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 216.58.201.110:443 chrome.google.com udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
GB 172.217.16.238:443 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
GB 216.58.201.110:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 clients2.google.com tcp
GB 216.58.213.1:443 clients2.googleusercontent.com udp
GB 216.58.201.110:443 clients2.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 216.239.34.157:443 tunnel.googlezip.net tcp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.16.238:443 consent.google.com udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
GB 2.19.117.27:443 store.akamai.steamstatic.com tcp
GB 2.19.117.27:443 store.akamai.steamstatic.com tcp
GB 2.19.117.27:443 store.akamai.steamstatic.com tcp
GB 2.19.117.27:443 store.akamai.steamstatic.com tcp
GB 2.19.117.27:443 store.akamai.steamstatic.com tcp
GB 2.19.117.27:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 cdn.akamai.steamstatic.com udp
US 8.8.8.8:53 shared.akamai.steamstatic.com udp
GB 2.19.117.27:443 shared.akamai.steamstatic.com tcp
GB 2.19.117.27:443 shared.akamai.steamstatic.com tcp
GB 2.19.117.13:443 shared.akamai.steamstatic.com tcp
GB 2.19.117.13:443 shared.akamai.steamstatic.com tcp
GB 2.19.117.13:443 shared.akamai.steamstatic.com tcp
GB 2.19.117.13:443 shared.akamai.steamstatic.com tcp
GB 2.19.117.23:443 cdn.akamai.steamstatic.com tcp
GB 2.19.117.13:443 shared.akamai.steamstatic.com tcp
GB 2.19.117.13:443 shared.akamai.steamstatic.com tcp
GB 2.19.117.23:443 cdn.akamai.steamstatic.com tcp
US 23.192.21.216:443 store.steampowered.com tcp
GB 2.19.117.27:443 shared.akamai.steamstatic.com tcp
US 8.8.8.8:53 27.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 13.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 23.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 216.21.192.23.in-addr.arpa udp
US 23.192.21.216:443 store.steampowered.com tcp
US 23.192.21.216:443 store.steampowered.com tcp
US 23.192.21.216:443 store.steampowered.com tcp
GB 2.19.117.23:443 cdn.akamai.steamstatic.com tcp
GB 2.19.117.23:443 cdn.akamai.steamstatic.com tcp
GB 2.19.117.23:443 cdn.akamai.steamstatic.com tcp
GB 2.19.117.23:443 cdn.akamai.steamstatic.com tcp
GB 2.19.117.23:443 cdn.akamai.steamstatic.com tcp
GB 2.19.117.23:443 cdn.akamai.steamstatic.com tcp
US 151.101.3.52:443 cdn.steamstatic.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 151.101.3.52:443 cdn.steamstatic.com tcp
US 151.101.3.52:443 cdn.steamstatic.com tcp
US 8.8.8.8:53 52.3.101.151.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 google.com udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
GB 142.250.200.14:443 google.com tcp
US 34.174.255.69:443 e2c60.gcp.gvt2.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 69.255.174.34.in-addr.arpa udp
GB 2.19.117.24:80 test.steampowered.com tcp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.82.234.109:443 api.steampowered.com tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 162.254.192.99:443 cmp2-iad1.steamserver.net tcp
US 162.254.192.98:27019 cmp1-iad1.steamserver.net tcp
US 8.8.8.8:53 cmp1-atl3.steamserver.net udp
US 162.254.199.165:443 cmp1-atl3.steamserver.net tcp
US 162.254.192.99:27020 cmp2-iad1.steamserver.net tcp
N/A 127.0.0.1:62968 tcp
N/A 127.0.0.1:62966 tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 e5.o.lencr.org udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
GB 2.23.210.75:80 e5.o.lencr.org tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.23.210.75:80 e6.o.lencr.org tcp
US 8.8.8.8:53 99.192.254.162.in-addr.arpa udp
US 8.8.8.8:53 98.192.254.162.in-addr.arpa udp
US 8.8.8.8:53 165.199.254.162.in-addr.arpa udp
US 8.8.8.8:53 cmp2-atl3.steamserver.net udp
US 162.254.199.184:27018 cmp2-atl3.steamserver.net tcp
US 162.254.199.165:27018 cmp1-atl3.steamserver.net tcp
US 155.133.253.52:27018 cmp2-dfw1.steamserver.net tcp
US 155.133.253.36:443 cmp1-dfw1.steamserver.net tcp
US 155.133.253.36:27018 cmp1-dfw1.steamserver.net tcp
US 162.254.193.75:27018 cmp2-ord1.steamserver.net tcp
US 205.196.6.133:443 cmp2-sea1.steamserver.net tcp
US 205.196.6.132:443 cmp1-sea1.steamserver.net tcp
US 8.8.8.8:53 52.253.133.155.in-addr.arpa udp
US 8.8.8.8:53 36.253.133.155.in-addr.arpa udp
US 8.8.8.8:443 dns.google udp
US 23.192.21.216:443 store.steampowered.com tcp
GB 2.19.117.22:443 store.akamai.steamstatic.com tcp
GB 2.19.117.22:443 store.akamai.steamstatic.com tcp
GB 2.19.117.22:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 22.117.19.2.in-addr.arpa udp
GB 2.19.117.22:443 store.akamai.steamstatic.com tcp
GB 2.19.117.22:443 store.akamai.steamstatic.com tcp
US 104.19.230.21:443 udp
GB 2.19.117.22:443 store.akamai.steamstatic.com tcp
GB 2.19.117.22:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 21.230.19.104.in-addr.arpa udp
GB 142.250.200.14:443 google.com tcp
NL 172.217.132.135:443 udp
US 8.8.8.8:53 135.132.217.172.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.200.14:443 google.com udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 e2c34.gcp.gvt2.com udp
KR 35.216.18.75:443 e2c34.gcp.gvt2.com tcp
GB 142.250.179.234:443 content-autofill.googleapis.com udp
KR 35.216.18.75:443 e2c34.gcp.gvt2.com tcp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com udp
US 8.8.8.8:53 75.18.216.35.in-addr.arpa udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 194.212.58.216.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.179.234:443 content-autofill.googleapis.com udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
GB 172.217.16.238:443 play.google.com udp
GB 172.217.16.238:443 play.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 216.58.213.1:443 lh5.googleusercontent.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 216.239.34.157:443 tunnel.googlezip.net tcp
GB 172.217.16.238:443 play.google.com udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:443 dns.google udp
GB 172.217.169.35:443 tcp
GB 172.217.169.35:443 tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.201.118:443 i.ytimg.com tcp
US 216.239.34.157:443 tunnel.googlezip.net tcp
GB 216.58.201.118:443 i.ytimg.com tcp
US 8.8.8.8:53 118.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com tcp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 p2p-atl3.discovery.steamserver.net udp
US 8.8.8.8:53 123.35.104.34.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 ipv6check-udp.steamserver.net udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.82.234.109:443 api.steampowered.com tcp
US 8.8.8.8:53 cmp1-sgp1.steamserver.net udp
SG 103.10.124.4:27018 cmp1-sgp1.steamserver.net tcp
US 8.8.8.8:53 cmp2-sgp1.steamserver.net udp
SG 103.10.124.4:27020 cmp1-sgp1.steamserver.net tcp
SG 103.10.124.5:443 cmp2-sgp1.steamserver.net tcp
US 8.8.8.8:53 ext6-hkg1.steamserver.net udp
HK 103.28.54.172:27028 ext6-hkg1.steamserver.net tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 2.23.210.75:80 e5.o.lencr.org tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.23.210.75:80 e6.o.lencr.org tcp
US 8.8.8.8:53 4.124.10.103.in-addr.arpa udp
US 8.8.8.8:53 5.124.10.103.in-addr.arpa udp
US 8.8.8.8:53 172.54.28.103.in-addr.arpa udp
US 8.8.8.8:53 cmp3-hkg1.steamserver.net udp
HK 103.28.54.102:27020 cmp3-hkg1.steamserver.net tcp
HK 103.28.54.102:443 cmp3-hkg1.steamserver.net tcp
JP 45.121.184.23:27035 ext4-tyo3.steamserver.net tcp
JP 45.121.184.21:27032 ext2-tyo3.steamserver.net tcp
US 8.8.8.8:53 102.54.28.103.in-addr.arpa udp
US 8.8.8.8:53 23.184.121.45.in-addr.arpa udp
JP 45.121.184.21:443 ext2-tyo3.steamserver.net tcp
US 8.8.8.8:53 cmp1-lax1.steamserver.net udp
US 162.254.195.69:27018 cmp1-lax1.steamserver.net tcp
US 8.8.8.8:53 cmp2-lax1.steamserver.net udp
US 8.8.8.8:53 ext1-syd1.steamserver.net udp
US 162.254.195.75:27018 cmp2-lax1.steamserver.net tcp
AU 103.10.125.148:27020 ext1-syd1.steamserver.net tcp
US 8.8.8.8:53 75.195.254.162.in-addr.arpa udp
US 8.8.8.8:53 21.184.121.45.in-addr.arpa udp
US 8.8.8.8:53 69.195.254.162.in-addr.arpa udp
US 8.8.8.8:53 148.125.10.103.in-addr.arpa udp
US 8.8.8.8:53 p2p-lax1.discovery.steamserver.net udp
US 8.8.8.8:443 dns.google udp
US 104.19.230.21:443 udp
US 104.19.230.21:443 udp
US 104.19.230.21:443 tcp
US 104.19.230.21:443 udp
US 8.8.8.8:53 client-update.steamstatic.com udp
US 151.101.195.52:443 client-update.steamstatic.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 8.8.8.8:53 52.195.101.151.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 104.19.230.21:443 udp
US 8.8.8.8:443 dns.google udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 api.steampowered.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
GB 104.82.234.109:443 api.steampowered.com tcp
US 8.8.8.8:53 ipv6check-udp.steamserver.net udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 crash.steampowered.com udp
US 208.64.203.173:443 crash.steampowered.com tcp
US 8.8.8.8:53 p2p-lax1.discovery.steamserver.net udp
US 8.8.8.8:53 cmp2-lhr1.steamserver.net udp
GB 162.254.196.80:443 cmp2-lhr1.steamserver.net tcp
US 8.8.8.8:53 cmp1-lhr1.steamserver.net udp
GB 162.254.196.79:27020 cmp1-lhr1.steamserver.net tcp
GB 162.254.196.79:27019 cmp1-lhr1.steamserver.net tcp
US 155.133.229.4:443 cmp1-fra2.steamserver.net tcp
US 8.8.8.8:53 r10.o.lencr.org udp
US 8.8.8.8:53 e5.o.lencr.org udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 173.203.64.208.in-addr.arpa udp
US 8.8.8.8:53 80.196.254.162.in-addr.arpa udp
US 8.8.8.8:53 79.196.254.162.in-addr.arpa udp
US 8.8.8.8:53 4.229.133.155.in-addr.arpa udp
GB 2.23.210.82:80 e6.o.lencr.org tcp
GB 2.23.210.82:80 e6.o.lencr.org tcp
GB 2.23.210.75:80 e6.o.lencr.org tcp
GB 216.58.201.99:443 udp
GB 104.82.234.109:443 api.steampowered.com tcp
US 155.133.253.36:443 cmp1-dfw1.steamserver.net tcp
US 155.133.253.36:27018 cmp1-dfw1.steamserver.net tcp
US 162.254.199.184:443 cmp2-atl3.steamserver.net tcp
US 162.254.199.165:27018 cmp1-atl3.steamserver.net tcp
US 155.133.253.52:27018 cmp2-dfw1.steamserver.net tcp
US 162.254.199.184:27018 cmp2-atl3.steamserver.net tcp
US 162.254.192.99:27018 cmp2-iad1.steamserver.net tcp
US 162.254.192.98:27020 cmp1-iad1.steamserver.net tcp
US 162.254.192.98:443 cmp1-iad1.steamserver.net tcp
US 162.254.195.75:27018 cmp2-lax1.steamserver.net tcp
US 8.8.8.8:53 ext2-par1.steamserver.net udp
FR 185.25.182.52:27038 ext2-par1.steamserver.net tcp
US 205.196.6.132:27018 cmp1-sea1.steamserver.net tcp
US 8.8.8.8:53 52.182.25.185.in-addr.arpa udp
US 8.8.8.8:53 p2p-par1.discovery.steamserver.net udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google udp
US 104.19.230.21:443 udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 p2p-par1.discovery.steamserver.net udp
US 8.8.8.8:53 ipv6check-udp.steamserver.net udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.82.234.109:443 api.steampowered.com tcp
US 8.8.8.8:53 cmp2-vie1.steamserver.net udp
AT 146.66.155.85:443 cmp2-vie1.steamserver.net tcp
US 8.8.8.8:53 cmp1-vie1.steamserver.net udp
AT 146.66.155.84:27018 cmp1-vie1.steamserver.net tcp
AT 146.66.155.85:27018 cmp2-vie1.steamserver.net tcp
US 8.8.8.8:53 cmp1-fra1.steamserver.net udp
DE 155.133.250.4:27020 cmp1-fra1.steamserver.net tcp
GB 2.23.210.82:80 e5.o.lencr.org tcp
US 8.8.8.8:53 e6.o.lencr.org udp
US 8.8.8.8:53 84.155.66.146.in-addr.arpa udp
US 8.8.8.8:53 85.155.66.146.in-addr.arpa udp
US 8.8.8.8:53 4.250.133.155.in-addr.arpa udp
GB 2.23.210.75:80 e6.o.lencr.org tcp
DE 155.133.250.20:27020 cmp2-fra1.steamserver.net tcp
US 155.133.229.20:27021 cmp2-fra2.steamserver.net tcp
US 155.133.229.20:27023 cmp2-fra2.steamserver.net tcp
US 8.8.8.8:53 20.229.133.155.in-addr.arpa udp
US 8.8.8.8:53 p2p-vie1.discovery.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 ipv6check-udp.steamserver.net udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.82.234.109:443 api.steampowered.com tcp
US 8.8.8.8:53 ext1-tyo3.steamserver.net udp
JP 45.121.184.20:27021 ext1-tyo3.steamserver.net tcp
JP 45.121.184.23:27029 ext4-tyo3.steamserver.net tcp
JP 45.121.184.20:443 ext1-tyo3.steamserver.net tcp
HK 103.28.54.102:27021 cmp3-hkg1.steamserver.net tcp
US 8.8.8.8:53 cmp1-hkg1.steamserver.net udp
US 8.8.8.8:53 20.184.121.45.in-addr.arpa udp
HK 103.28.54.100:27021 cmp1-hkg1.steamserver.net tcp
HK 103.28.54.102:443 cmp3-hkg1.steamserver.net tcp
SG 103.10.124.4:27018 cmp1-sgp1.steamserver.net tcp
SG 103.10.124.5:27019 cmp2-sgp1.steamserver.net tcp
GB 2.23.210.75:80 e6.o.lencr.org tcp
SG 103.10.124.5:443 cmp2-sgp1.steamserver.net tcp
US 162.254.195.75:443 cmp2-lax1.steamserver.net tcp
US 162.254.192.98:443 cmp1-iad1.steamserver.net tcp
US 8.8.8.8:53 100.54.28.103.in-addr.arpa udp
IN 155.133.225.21:27024 ext2-maa2.steamserver.net tcp
US 8.8.8.8:53 p2p-iad1.discovery.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 p2p-iad1.discovery.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.82.234.109:443 api.steampowered.com tcp
US 8.8.8.8:53 ext2-lim1.steamserver.net udp
PE 155.133.244.50:27028 ext2-lim1.steamserver.net tcp
US 8.8.8.8:53 ext1-lim1.steamserver.net udp
PE 155.133.244.34:27022 ext1-lim1.steamserver.net tcp
US 8.8.8.8:53 ext1-scl1.steamserver.net udp
PE 155.133.244.50:443 ext2-lim1.steamserver.net tcp
CL 155.133.249.180:27034 ext1-scl1.steamserver.net tcp
US 8.8.8.8:53 ext2-scl1.steamserver.net udp
CL 155.133.249.164:27020 ext2-scl1.steamserver.net tcp
CL 155.133.249.164:443 ext2-scl1.steamserver.net tcp
AR 155.133.255.100:27032 ext1-eze1.steamserver.net tcp
AR 155.133.255.100:27033 ext1-eze1.steamserver.net tcp
US 8.8.8.8:53 34.244.133.155.in-addr.arpa udp
US 8.8.8.8:53 50.244.133.155.in-addr.arpa udp
US 8.8.8.8:53 180.249.133.155.in-addr.arpa udp
AR 155.133.255.100:443 ext1-eze1.steamserver.net tcp
US 8.8.8.8:53 ext2-gru1.steamserver.net udp
BR 155.133.227.50:27034 ext2-gru1.steamserver.net tcp
US 162.254.195.75:443 cmp2-lax1.steamserver.net tcp
US 162.254.192.98:27020 cmp1-iad1.steamserver.net tcp
US 8.8.8.8:53 100.255.133.155.in-addr.arpa udp
US 8.8.8.8:53 p2p-lax1.discovery.steamserver.net udp
US 8.8.8.8:53 50.227.133.155.in-addr.arpa udp
US 8.8.8.8:53 p2p-lax1.discovery.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 ipv6check-udp.steamserver.net udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.82.234.109:443 api.steampowered.com tcp
AT 146.66.155.84:443 cmp1-vie1.steamserver.net tcp
AT 146.66.155.85:27018 cmp2-vie1.steamserver.net tcp
AT 146.66.155.84:27018 cmp1-vie1.steamserver.net tcp
US 155.133.229.20:27022 cmp2-fra2.steamserver.net tcp
DE 155.133.250.20:27020 cmp2-fra1.steamserver.net tcp
DE 155.133.250.20:27024 cmp2-fra1.steamserver.net tcp
DE 155.133.250.20:27019 cmp2-fra1.steamserver.net tcp
DE 155.133.250.4:443 cmp1-fra1.steamserver.net tcp
US 8.8.8.8:53 p2p-fra1.discovery.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.82.234.109:443 api.steampowered.com tcp
HK 103.28.54.100:27018 cmp1-hkg1.steamserver.net tcp
HK 103.28.54.102:27020 cmp3-hkg1.steamserver.net tcp
US 8.8.8.8:53 cmp2-hkg1.steamserver.net udp
HK 103.28.54.101:443 cmp2-hkg1.steamserver.net tcp
SG 103.10.124.4:27018 cmp1-sgp1.steamserver.net tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.23.210.82:80 e6.o.lencr.org tcp
SG 103.10.124.5:27020 cmp2-sgp1.steamserver.net tcp
SG 103.10.124.4:443 cmp1-sgp1.steamserver.net tcp
JP 45.121.184.20:27023 ext1-tyo3.steamserver.net tcp
US 8.8.8.8:53 101.54.28.103.in-addr.arpa udp
JP 45.121.184.21:27037 ext2-tyo3.steamserver.net tcp
US 8.8.8.8:53 cmp1-lax1.steamserver.net udp
JP 45.121.184.20:443 ext1-tyo3.steamserver.net tcp
US 162.254.195.69:27018 cmp1-lax1.steamserver.net tcp
US 8.8.8.8:53 ext1-bom2.steamserver.net udp
IN 155.133.224.22:27038 ext1-bom2.steamserver.net tcp
US 162.254.195.75:443 cmp2-lax1.steamserver.net tcp
US 8.8.8.8:53 p2p-lax1.discovery.steamserver.net udp
US 8.8.8.8:53 22.224.133.155.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.82.234.109:443 api.steampowered.com tcp
SG 103.10.124.4:27018 cmp1-sgp1.steamserver.net tcp
SG 103.10.124.5:27018 cmp2-sgp1.steamserver.net tcp
SG 103.10.124.5:443 cmp2-sgp1.steamserver.net tcp
HK 103.28.54.101:27020 cmp2-hkg1.steamserver.net tcp
HK 103.28.54.102:27021 cmp3-hkg1.steamserver.net tcp
HK 103.28.54.100:443 cmp1-hkg1.steamserver.net tcp
JP 45.121.184.21:27021 ext2-tyo3.steamserver.net tcp
JP 45.121.184.21:27029 ext2-tyo3.steamserver.net tcp
JP 45.121.184.20:443 ext1-tyo3.steamserver.net tcp
US 162.254.195.69:27018 cmp1-lax1.steamserver.net tcp
US 162.254.193.103:27018 cmp1-ord1.steamserver.net tcp
IN 155.133.225.21:27034 ext2-maa2.steamserver.net tcp
GB 2.23.210.82:80 e6.o.lencr.org tcp
US 8.8.8.8:53 p2p-ord1.discovery.steamserver.net udp
US 8.8.8.8:53 103.193.254.162.in-addr.arpa udp
US 8.8.8.8:53 p2p-ord1.discovery.steamserver.net udp
US 8.8.8.8:53 ipv6check-udp.steamserver.net udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.82.234.109:443 api.steampowered.com tcp
US 155.133.253.52:443 cmp2-dfw1.steamserver.net tcp
US 155.133.253.36:27018 cmp1-dfw1.steamserver.net tcp
US 155.133.253.52:27018 cmp2-dfw1.steamserver.net tcp
US 162.254.199.165:443 cmp1-atl3.steamserver.net tcp
US 162.254.195.75:443 cmp2-lax1.steamserver.net tcp
US 162.254.195.69:27018 cmp1-lax1.steamserver.net tcp
US 162.254.195.75:27018 cmp2-lax1.steamserver.net tcp
US 162.254.199.184:27018 cmp2-atl3.steamserver.net tcp
US 162.254.199.165:27018 cmp1-atl3.steamserver.net tcp
US 162.254.193.75:443 cmp2-ord1.steamserver.net tcp
US 8.8.8.8:53 cmp2-ams1.steamserver.net udp
NL 155.133.248.43:443 cmp2-ams1.steamserver.net tcp
US 8.8.8.8:53 cmp1-ams1.steamserver.net udp
NL 155.133.248.42:443 cmp1-ams1.steamserver.net tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 2.23.210.75:80 e5.o.lencr.org tcp
US 8.8.8.8:53 43.248.133.155.in-addr.arpa udp
US 8.8.8.8:53 42.248.133.155.in-addr.arpa udp
US 8.8.8.8:53 p2p-ams1.discovery.steamserver.net udp
US 8.8.8.8:53 p2p-ams1.discovery.steamserver.net udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.82.234.109:443 api.steampowered.com tcp
HK 103.28.54.101:27021 cmp2-hkg1.steamserver.net tcp
HK 103.28.54.100:27021 cmp1-hkg1.steamserver.net tcp
HK 103.28.54.102:443 cmp3-hkg1.steamserver.net tcp
SG 103.10.124.5:27019 cmp2-sgp1.steamserver.net tcp
SG 103.10.124.5:27018 cmp2-sgp1.steamserver.net tcp
SG 103.10.124.5:443 cmp2-sgp1.steamserver.net tcp
JP 45.121.184.21:27033 ext2-tyo3.steamserver.net tcp
JP 45.121.184.23:27038 ext4-tyo3.steamserver.net tcp
JP 45.121.184.21:443 ext2-tyo3.steamserver.net tcp
US 162.254.195.69:443 cmp1-lax1.steamserver.net tcp
US 162.254.193.103:27018 cmp1-ord1.steamserver.net tcp
US 162.254.192.99:27020 cmp2-iad1.steamserver.net tcp
US 8.8.8.8:53 p2p-ord1.discovery.steamserver.net udp
US 8.8.8.8:53 p2p-ord1.discovery.steamserver.net udp
US 8.8.8.8:53 ipv6check-udp.steamserver.net udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.82.234.109:443 api.steampowered.com tcp
PE 155.133.244.34:27023 ext1-lim1.steamserver.net tcp
PE 155.133.244.50:27034 ext2-lim1.steamserver.net tcp
PE 155.133.244.50:443 ext2-lim1.steamserver.net tcp
CL 155.133.249.164:27021 ext2-scl1.steamserver.net tcp
CL 155.133.249.164:27035 ext2-scl1.steamserver.net tcp
CL 155.133.249.164:443 ext2-scl1.steamserver.net tcp
US 8.8.8.8:53 ext2-eze1.steamserver.net udp
AR 155.133.255.164:27022 ext2-eze1.steamserver.net tcp
AR 155.133.255.164:27033 ext2-eze1.steamserver.net tcp
AR 155.133.255.164:443 ext2-eze1.steamserver.net tcp
US 8.8.8.8:53 ext1-gru1.steamserver.net udp
BR 155.133.227.34:27023 ext1-gru1.steamserver.net tcp
BR 155.133.227.50:27031 ext2-gru1.steamserver.net tcp
US 162.254.192.98:443 cmp1-iad1.steamserver.net tcp
US 8.8.8.8:53 164.255.133.155.in-addr.arpa udp
US 8.8.8.8:53 p2p-iad1.discovery.steamserver.net udp
US 8.8.8.8:53 34.227.133.155.in-addr.arpa udp
US 8.8.8.8:53 p2p-iad1.discovery.steamserver.net udp
US 8.8.8.8:53 ipv6check-udp.steamserver.net udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 p2p-iad1.discovery.steamserver.net udp
US 8.8.8.8:53 p2p-iad1.discovery.steamserver.net udp
US 8.8.8.8:53 p2p-iad1.discovery.steamserver.net udp
US 8.8.8.8:53 p2p-iad1.discovery.steamserver.net udp
US 8.8.8.8:53 p2p-iad1.discovery.steamserver.net udp

Files

C:\Users\Admin\AppData\Roaming\Godot\app_userdata\windowkill\logs\godot.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\5eba79d4-b2b5-471d-9df7-f813febb613a.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\scoped_dir3828_726509112\63f1871d-0e71-4e0f-a3a2-ae5b7e070347.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Temp\scoped_dir3828_726509112\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 5bb308a885741e94fc437b494022b87c
SHA1 cb9287ea5b9ca20e027b23f1d08c915c0089a9f4
SHA256 89ff923a7143811740aa91676345247e696a97e93a298afdb2df050f5f689f13
SHA512 deab27afd6feee75e85f3c8a01d10e9fa098a649feac2b3030888245f61fa673c03246eb330ff024b92620053e76fd543fd95192e02b263a2c90d653e728503c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6abbb46c41926209c96b4ee2ac4b1da2
SHA1 f046cebf09fa0c266cc0ab04a25a5794230c347a
SHA256 b62d5ba0eee2cc2045e3794b0e440450f743bcb645255a730677e26072c91a84
SHA512 e473c25e9c56ba34d80e6aa1b35947fcf7ff974263d5ea6b08547b3976282d4837a99f715a23708d0d163de3609b391ca8117f71d6e73d72c13f9a882ae2072f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0cd1be0d2b2b943325c2049f7c732e5a
SHA1 4f234bf5549e24a6dc7afea5332a5d74284c4e86
SHA256 e29f3ea91e3267046f3c1b0c757d66d6b8a3e7102ea5531aabceb026d4730220
SHA512 a1208683ee24c75981b0feddb591fd29700b48b3079808be5ec4ce52759e0eb62deb752923e39b29f7b8cd2a837a81b3f869510c86ecdaf0164df6e61cd02326

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 12975ef7d6fc1baf68260db1300f6c47
SHA1 7a75c8da3a9b15f535018525f0f0cabefed514fe
SHA256 86072b64cdb0424c7c7186e4f9ab6d2e9566bbc20621a534579f2fb87e371e15
SHA512 6f1ad0746937cd705d53e1dd7ddd62e384cb5cb07c011037ba2f4f2676f8b778972b336c5b12d7f18343d255dc178443c373cdb44b4ee5e2bac1d9640b147dd2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 3bdb79a6aaee4a39573ad44658f06b29
SHA1 a026582cd05ef89660d5cce014cd5abb68168e30
SHA256 62d8cfcc9d026de2bcc1343ecf1c136cdf3e82105c30ffa41aed6c57709d7e58
SHA512 3a4d386706e2cb43b1831486b51603640e4b4e3d4918b3ca1c823530a270f686fbd1ce903a1f1775a6f962fc623a15f5e292bfff3f674fefd9a538464508d903

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 c71d2d1ac87d67e677f53e2ec283ea34
SHA1 4cfce41c05f4b10b776ddb6fea1013f0686970c5
SHA256 491fa40153a6603c9bc70b830eefe3e5b70e36e0f9973077a217e7431951dea3
SHA512 0ddc63f7b027438ffe6f6f184a0e4fcf8f0ccef22f1dc2b5641439f2691983ccefcd5791c0090ed774da93f360ec7e4b1ab3e489255dd9b8eb9fc4cc78271ac5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b05728dcae878c517e0f142898342b86
SHA1 2907853ccb5e805f7c4b6e2fba3da41b5dfa3ed0
SHA256 4e5e1d15037766dbdef30cb9fb84da34f9aa5c12cd149686c8b8de7b8214c467
SHA512 5ba153a7efccfba409dd18a189ea5bba3fe9937f033cb442a076c30f46c362ce69f3b7f6d3e09ecbb3489067522f16f7cd385947a81803d91cdcd9bbeb518182

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6513718bd918479357f0349e78cddf9d
SHA1 fde009be9c30e08f5e5ca37df6848a4901e714dc
SHA256 d33ca72d9f2127ffb1a2a30af8756e2691dcd871526ae2c728472246647cb707
SHA512 8d326a42c43d54c7f709d44f2ab15d3d14d94362806fcc6a1bc8c1205ac4865915510454fad25efc402ce2650e2385fc66f4405a736e186289951ec3307f37bf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 591e541c0db8afac13cccc3aa7af068b
SHA1 46eb62d00ee710156b151bc6c8067dd9c032f823
SHA256 6ae81170de3c3ca1116a70cc50efb9e67a601d0eabde7b9ebfa8930e4b20e199
SHA512 d747cecca3aa5c8a94850ba91fd750a6e4501a12d2f8afcbd2fca4c8725dcbc15e13eb931e2bbec67e37edcaf3ace5fa05125c920423eefa97ed2b0412fd6c64

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d9b5c7adaf6dfb0d28ba72953b5b3469
SHA1 3bc7cd3432daa8e04a943ef364d0e636216453b4
SHA256 2f5ea1b7f89422b4c6384fc8feac3dba30198456fb07eff49e399a7f91174821
SHA512 5f99fd510cad02ed239cc94c072c7e2ce52ba327fd1ff2ede9899e4ccb091e32a09c8d1e8d0e6409e94a236a4dcc941c9070bf1a81813264ba179e00f3c46b73

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 58b9a33d291ccd8b4493b323305e6884
SHA1 1a61013856065ab3d2d4fca50fd3fb868b2bcbef
SHA256 d208c91b106682e43b74da0ffb72943a07643407e9087be1bd0b61b9cedf131f
SHA512 c1299996067345b56205c17e56d297a8b17650295f06034176d8b10323f67de4c708bf8a3532ebb3dea44c6dd2ced3b5c2a8ac1a1127d9d7cd9ad6f5053c878e

C:\Users\Admin\Downloads\Unconfirmed 92591.crdownload

MD5 1b54b70beef8eb240db31718e8f7eb5d
SHA1 da5995070737ec655824c92622333c489eb6bce4
SHA256 7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb
SHA512 fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c2f93d0808e7b190018eee253bdcc8f4
SHA1 5e3219d75b0079c646e94977b6d3ecf0af276acf
SHA256 563eccda5f4ce519c14363302c7e777bf4dee1b3d9939eb3ddd3fef1ee5253c9
SHA512 f6fa6b84bdd251c05d71fbb47c1da4c392e7d368805119b64fd06b31599c2d074081e51aa20dd6bad40d55592a9c07afe1fec700341344fe3ccad9b93cde23f4

C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 9987a9ebd4ce448275cb5b49c253fd1e
SHA1 3c62a3f6a569aebae29ce9d4866e01125dd2ce93
SHA256 009719e319da0f205acb543b93c121d76960496ed59ffe526d0f9857435aef62
SHA512 34f91d3e005c510d3525555c6dc4a01016bb29580b0869af01c539454213ad1064a6966c8453d88f7e8a3c0d6ddbf355fa25df9afb72b182b929b68c7b8b29ed

C:\Users\Admin\AppData\Local\Temp\nsbDCB7.tmp\System.dll

MD5 a36fbe922ffac9cd85a845d7a813f391
SHA1 f656a613a723cc1b449034d73551b4fcdf0dcf1a
SHA256 fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0
SHA512 1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

C:\Users\Admin\AppData\Local\Temp\nsbDCB7.tmp\nsDialogs.dll

MD5 4e5bc4458afa770636f2806ee0a1e999
SHA1 76dcc64af867526f776ab9225e7f4fe076487765
SHA256 91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0
SHA512 b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6f169d4c92326d0ddb7b1be6fb406646
SHA1 758b327c4e50f9477e7f8a5b46858ef1dd4bc283
SHA256 62115ae6b2e208ebeb40cb1f02aef3017a77b98e942d64b6b6d15d738c73d8d3
SHA512 3295548f66c6bbfa9c8d76707bae2f46d9632479d8774fa59b196851e693c5f382d2ef4c4a580b224a020128154d94fcec951e45f531546e26193bac5c99f202

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8b7f3bcfbed98adc6f4331c0b1e73c11
SHA1 d4398cd250b585c28c5316d7f4a8169cd2ba61ae
SHA256 add06fce36eec28c99a9f4c70032ad4ed3166d569281f6a176cb959acc3a84b6
SHA512 12e8280b37a6d9c8fdc1cd0abd76da76343ed45db69a19de519b6c22c3389efb2709d2d50ecd42cd8357351bfc28532209d30cc2f557b8ea0b64487195d588bf

C:\Users\Admin\AppData\Local\Temp\nsbDCB7.tmp\nsProcess.dll

MD5 08072dc900ca0626e8c079b2c5bcfcf3
SHA1 35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37
SHA256 bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8
SHA512 8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

C:\Program Files (x86)\Steam\Steam.exe

MD5 33bcb1c8975a4063a134a72803e0ca16
SHA1 ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65
SHA256 12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1
SHA512 13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

C:\Users\Admin\AppData\Local\Temp\nsbDCB7.tmp\nsExec.dll

MD5 2095af18c696968208315d4328a2b7fe
SHA1 b1b0e70c03724b2941e92c5098cc1fc0f2b51568
SHA256 3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226
SHA512 60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

C:\Program Files (x86)\Steam\bin\SteamService.exe

MD5 ba0ea9249da4ab8f62432617489ae5a6
SHA1 d8873c5dcb6e128c39cf0c423b502821343659a7
SHA256 ce177dc8cf42513ff819c7b8597c7be290f9e98632a34ecd868dc76003421f0d
SHA512 52958d55b03e1ddc69afc2f1a02f7813199e4b3bf114514c438ab4d10d5ca83b865ba6090550951c0a43b666c6728304009572212444a27a3f5184663f4b0b8b

C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt

MD5 7913f3f33839e3af9e10455df69866c2
SHA1 15fa957d0a6a2717027f5b35f4dbe5e0ab8ece25
SHA256 05bc1f4973c6d36002ac1b37ce46b1f941fcb4338282e0ec1ec83fb558d1a88c
SHA512 534e541757d19ee157a268bf7ea358b48015f400542fcfa49cdb547cd652926160f015fe2cf026d9c4996e56ab90ca3899dfd457997d915bf6bc9d7bb00ba804

C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt

MD5 202b825d0ef72096b82db255c4e747fa
SHA1 3a3265e5bbaa1d1b774195a3858f29cea75c9e75
SHA256 3d1399f5323a3ece1b1a8b3b31f8fd7f50c3bd319ab3f1c38c6e347452c95314
SHA512 e8fc7cc09f431301d22a07b238179ee053505090e3c4db30ead061513fe7159f1fe8b80efc93f4597fe00f01087bbe0bb2231e13693d72c8def138657cb91566

C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

MD5 7e1d15fc9ba66a868c5c6cb1c2822f83
SHA1 bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7
SHA256 fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265
SHA512 0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

MD5 8958371646901eac40807eeb2f346382
SHA1 55fb07b48a3e354f7556d7edb75144635a850903
SHA256 b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585
SHA512 14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

C:\Program Files (x86)\Steam\public\steambootstrapper_indonesian.txt

MD5 1514d082b672b372cdfb8dd85c3437f1
SHA1 336a01192edb76ae6501d6974b3b6f0c05ea223a
SHA256 3b3c5c615fd82070cc951ab482d3de8cb12df0b3df59fbd11f9d3271fa2fbca4
SHA512 4d41c945ce7c94746875b0dbceb14811d4966de4e97fe047406a304162fde7e1e2a16367fc2e43978e2e5aa66749f036b4444aa2312673c2cc3af296e8b77f55

C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

MD5 18aaaf5ffcdd21b1b34291e812d83063
SHA1 aa9c7ae8d51e947582db493f0fd1d9941880429f
SHA256 1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5
SHA512 4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

MD5 189ba063d1481528cbd6e0c4afc3abaa
SHA1 40bdd169fcc59928c69eea74fd7e057096b33092
SHA256 c0a7a1df442ac080668762df795c72aa322e9d415c41bd0a4c676a4dc0551695
SHA512 ce59ad9b17bab4de1254e92ce4fe7d8c8242832f62ab382e8f54199a9932cd11b5800cc33895441426373d5210cc74104e0271b721a7e26ed400b716ae4d5903

C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

MD5 5c026fd6072a7c5cf31c75818cddedec
SHA1 341aa1df1d034e6f0a7dff88d37c9f11a716cae6
SHA256 0828572e4fa00c186dbf1d9072a6154d65cb499c6a37e338f3305f77a2fee382
SHA512 f9d28714b2a05f8d9025f1692e4d7e8baa6daf6176353f65646a38814a242ef2adededa44419edd69f10cf96ffba506dab7cb6e52111457bf69cffef12174b12

C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

MD5 10c429eb58b4274af6b6ef08f376d46c
SHA1 af1e049ddb9f875c609b0f9a38651fc1867b50d3
SHA256 a1f6ba57ee41e009d904905c0ce5e75a59ee6790e08542561303109e1faafa13
SHA512 d8760f61760bffd8671b727d386ae220e7e6e68829a01553cfd5eb60ef8bd1d7c1b25e7b17a6db5bd17ba6712ef44999726764459318e784843c73bc4facaf46

C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

MD5 9e62fc923c65bfc3f40aaf6ec4fd1010
SHA1 8f76faff18bd64696683c2a7a04d16aac1ef7e61
SHA256 8ff0f3cbdf28102ff037b9cda90590e4b66e1e654b90f9aea2cd5364494d02b7
SHA512 c8ff15373b37e848e6239a82424569e77c82a5fc557d17e7d2ed1d0d2b2f7d026cc1e2bc98cb5ee945c02cfefb82803c23fa6a26f48ff0adcf762f94cd5dd035

C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

MD5 da6cd2483ad8a21e8356e63d036df55b
SHA1 0e808a400facec559e6fbab960a7bdfaab4c6b04
SHA256 ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6
SHA512 06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

MD5 31a29061e51e245f74bb26d103c666ad
SHA1 271e26240db3ba0dcffc10866ccfcfa1c33cf1cc
SHA256 56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192
SHA512 f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

MD5 03b664bd98485425c21cdf83bc358703
SHA1 0a31dcfeb1957e0b00b87c2305400d004a9a5bdb
SHA256 fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115
SHA512 4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

MD5 2158881817b9163bf0fd4724d549aed4
SHA1 c500f2e8f47a11129114ee4f19524aee8fecc502
SHA256 650a265dffdc5dc50200bb82d56f416a3a423eecc08c962cfd1ba2d40a1ff3f7
SHA512 f3594aad9d6c50254f690c903f078a5b7a58c33bd418abdad711ebb74cfbdb5564679593e08fb2d4378faaf4160d45e3d276ba1aa8a174ed77a5791bcac46f28

C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

MD5 4c81277a127e3d65fb5065f518ffe9c2
SHA1 253264b9b56e5bac0714d5be6cade09ae74c2a3a
SHA256 76a6bd74194efd819d33802decdfddaae893069d7000e44944dda05022cfa6d9
SHA512 be077b61f3b6d56a1f4d24957deaf18d2dff699bda6569604aac4f1edb57c3cfd0abc5e2a67809f72e31a90b4aed0813536c153886da2099376964c60e56001a

C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

MD5 0340d1a0bbdb8f3017d2326f4e351e0a
SHA1 90d078e9f732794db5b0ffeb781a1f2ed2966139
SHA256 0fcd7ae491b467858f2a8745c5ecdd55451399778c2119517ee686d1f264b544
SHA512 9d23e020875ed35825169a6542512ec2ffdb349472a12eb1e59ddc635e57c8fd65fa919873821e35c755aa7d027c9a62d3d0fa617340449d7b2c4cf8dd707e93

C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt

MD5 29f9a5ab4adfae371bf980b82de2cb57
SHA1 6f7ef52a09b99868dd7230f513630ffe473eddf8
SHA256 711675edb20b3cb70acf6cf75f2eea8e0d87c8ace3e11c8df362b4517427a34f
SHA512 543fe63f791250e05e8fda24fd2ceadebb4c8925e8927de49ae490895c87eed3e61a9ad50237532649f99fe3165836261de215ee3f66ffbfc6d677ddeea7732a

C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt

MD5 53f7e8ac1affb04bf132c2ca818eb01e
SHA1 bffc3e111761e4dc514c6398a07ffce8555697f6
SHA256 488294b7faff720dc3ab5a72e0607761484c678b96d6bcd6aad9ee2388356a83
SHA512 c2e79c2505a6fd075df113ffce92ad42c146424ca39087601daa4ed15a2b5528d478a093921d9d8a738c7b6b963275a0693ebe526b6e2135d14ced03639d0e70

C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt

MD5 194a73f900a3283da4caa6c09fefcb08
SHA1 a7a8005ca77b9f5d9791cb66fcdf6579763b2abb
SHA256 5e4f2de5ee98d5d76f5d76fb925417d6668fba08e89f7240f923f3378e3e66f6
SHA512 25842535c165d48f4cf4fa7fd06818ec5585cc3719eff933f5776a842713d7adb5667c3b9b1a122a1152450e797535fc7a8e97ebdd31c14b4d4900a33ede01f3

C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt

MD5 b2248784049e1af0c690be2af13a4ef3
SHA1 aec7461fa46b7f6d00ff308aa9d19c39b934c595
SHA256 4bf6b25bf5b18e13b04db6ed2e5ed635eb844fc52baa892f530194d9471f5690
SHA512 f5cee6bba20a4d05473971f7f87a36990e88a44b2855c7655b77f48f223219978d91bcd02d320c7e6c2ec368234e1d0201be85b5626ef4909e047e416e1a066c

C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt

MD5 66456d2b1085446a9f2dbd9e4632754b
SHA1 8da6248b57e5c2970d853b8d21373772a34b1c28
SHA256 c4f821a4903c4e7faea2931c7fb1cf261eba06a9840c78fdca689f5c784c06c4
SHA512 196c2282ba13715709ece706c9219fe70c05dd295840082e7d901b9e5592e74b1bb556782181cdbe35bd1ab0d6197fef67258b09491fabc6f27606dbed667d49

C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt

MD5 56dcf7b68f70826262a6ffaffe6b1c49
SHA1 12e4272ba0e4eabc610670cdc6941f942da1eb6a
SHA256 948cad1bb27109e008f2457248880c759d3fa98b92c5b4033b94f455cb8ac43f
SHA512 c3fd9caf0bd4c303a7cc300faada9cfe6dd752e82d67625b31f4c0c2c091596508bb477fe19f758fdf79b25b8ac3f5320a8785d2b6705b9bcc28a054a59454e2

C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt

MD5 e04ad6c236b6c61fc53e2cb57ced87e8
SHA1 e9d4846b7e6cc755ee14a5d3fa45ee7d3bf425a4
SHA256 08c775efa77c2a92d369f794882e467b6e2526e61bc7aa7724f48e174524502e
SHA512 0dfb7e6d811d649103499018f3d115c542fcaba420ceb69124a4d837fe162ce514e7be2040860c5ef5f9c01c961fa6eea8730606b73ec107d87597989b6fd331

C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt

MD5 6367f43ea3780c4ee166454f5936b1a8
SHA1 027a2c24c8320458c49cd78053f586cb4d94ee6f
SHA256 f8d1972e75a320344e3c834ba0a3a6a86edb39e20ef706bda9b7965d440d1998
SHA512 31aab33e0d272cb43a8c160b3d37256716a683e5052192fd0e4d3cdaf30a10a9afa9d26d5d14ad216ee455627c32892a711d2bc137ee7a7df9a297f001a19e32

C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt

MD5 eb8926608c5933f05a3f0090e551b15d
SHA1 a1012904d440c0e74dad336eac8793ac110f78f8
SHA256 2ed2b0d654d60e0a82b0968a91d568b775144e9d92f2b077b6da75f85ad12d04
SHA512 9113c42c38836f71ff0cc7019aff8c873845f47fbf1ab97e981cb038f4d8495b6df784402b1ee9666e8e567ae866b0284c81e6a16efb47131d5ef88569c4843a

C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt

MD5 9b0b0e82f753cc115d87c7199885ad1b
SHA1 5743a4ab58684c1f154f84895d87f000b4e98021
SHA256 0bdeee9fa28d54d384e06ea646fbcfe3f06698a31dfdc1a50703ffe83ad78d32
SHA512 b7780b82fbe705bc8e5a527c011eb685c99ef0b2eb810617b9f82b891341af95ef1c2f46dce9e458c0c4dcc3e7a0d21db6c77f03419cd1c4b521a9b72f9017df

C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt

MD5 58e0fcbee3cca4ef61b97928cfe89535
SHA1 1297e3af3ca9e4fe3cc5db78ebbfa642e8a2c57b
SHA256 c084a68b65d507eb831831aa2ab9afb9536cb99a840d248cc155ff87fad18425
SHA512 99aff0c481e34cd0e4fcbb2af471afb56d91aa11be664462b08e17ae169ca03ef77e7063b4ecd0f38ca7b2f6dc0bf2e316c7b31dffbbcfc763cd8fae27dc78d2

C:\Users\Admin\AppData\Local\Temp\nsbDCB7.tmp\modern-wizard.bmp

MD5 3614a4be6b610f1daf6c801574f161fe
SHA1 6edee98c0084a94caa1fe0124b4c19f42b4e7de6
SHA256 16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b
SHA512 06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

C:\Users\Admin\AppData\Local\Temp\nsbDCB7.tmp\StdUtils.dll

MD5 db11ab4828b429a987e7682e495c1810
SHA1 29c2c2069c4975c90789dc6d3677b4b650196561
SHA256 c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376
SHA512 460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 88b52ae6f6b082598d86dc22e68dec48
SHA1 10800337cb98b50c102e88ff6ecd0c5107eb7111
SHA256 c99e991de9445189c1fd903f8b8a0524dc4a069f173572f942efd2dbb582b716
SHA512 d64fea86c1bbc67107b6c1cea5cf1dfbe21c475a639550bf05a696e8bc7132c95aee50df31f436648046b17b33c570561480b16ef344b16a4321d0e2a2418c60

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9e6740b0c67e6e6e8aa37112eeaef9e2
SHA1 84a47e9c92ec58b14b54a0b61dad7c4c926eb47e
SHA256 137628f75a5bbdf8e0bb477e56acdefb0e32f91f3703ebc8a7e86fd77970eb74
SHA512 f13c0c3c5c6e4e3240bf41d9a5860ca6ab5e87bff3545f62bfec2489b05a45347004ac424b0c201db87a3cafbac5e1a46693420754c5758362249861d9cf85c3

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 b5ad5caaaee00cb8cf445427975ae66c
SHA1 dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256 b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA512 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 d222b77a61527f2c177b0869e7babc24
SHA1 3f23acb984307a4aeba41ebbb70439c97ad1f268
SHA256 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512 d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c8af4d351136daf7d8d75b633f3c73bd
SHA1 d6a1b253ec3f3a1e77262464e6683c095038cbb9
SHA256 6543d9a7340cfeb0f54a68edcee09e302a54219e14a84c8c8bfa67989ce39f4c
SHA512 da0109e203b664b85a605d0e22f4d2b145376c92554575387dcf654c7342a22d732fd7f756f6a29088e456c5de089cf78328c12fe7c475036a43ced585d80b56

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a678195bd324c448987fdb67398a05b4
SHA1 1d6cc10e91f2e3687603bb5c2082411b08945a7b
SHA256 96c341aaa84780c99389363f8851a0144643a59e6274d9564d75757aeb3f79f1
SHA512 41542ac9db1dcbcc30c96d9425880fef6a183862f23b056bd0e91da8d4e16b5570dea160118d5974ed3d54fc2848aeb6a5ae836905e1dc3c825f2ebd8d9b6da6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 65a33955f88537d2b4d272142c4b1733
SHA1 260fc1c0debfe5a912be4db10b8a0bec356c0972
SHA256 9b1a148975d93b2c77650565c83a474af8bd57f4c4fb86850434f97d17eb49e8
SHA512 2a72abec5cd48d1f56511c0b82bcdd9f48339da7e4472789ff65ded10d83e5b9dab2115622843ca345226a5c617c66dfa830ca6091534d583e434d9eda1be0cd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8dbd47a36e6b16c55c200fb087059983
SHA1 5216cee7c33c8407d2ad543e7f613b8d39881bf5
SHA256 d073d4f1988d457b3cd0b334b2ee1475de833e9a1f0e1a4ce6a515d2633f6cfb
SHA512 4dc6e6ade5c3e99baa64d5243cf2621f6c18c2e1ad49b8e2a1a74c73f4ef72cf9de27279134eb8f04b38d58e78a5acbcc54702d96810ba3757a7669088efc990

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9f49522682e96970d90ec3b7e1c8c852
SHA1 c7d1e15ef544bc3c570415a5e5be2d70f9ed7116
SHA256 4a91b0617b541b4698b11784f6282ecc638218efe10853461855a7ac6f90492e
SHA512 9f715b84468e358060f9aaff5aad2952175532255645307e8ece3c4a912efa01cea669fd07fc1dedb5f6b4b6b5b63374c142efed84712c6261b0199380c26473

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 247a3ac571719e6fc8bddb369145259a
SHA1 63b4b74407d8fd26bb2783f54989a031d1eaa627
SHA256 706f67d2d5dbbd48078e97b7163662b007160f4c23975b32cf97cb8392a90c0f
SHA512 fbfac0448d4fb2971ca04a9933a1c539b1d0c1f0f52d06e5942b29ea25331e0825d058d84389a1aa98154f64a833ea32ca88a198e0515642c05680097fcbc5ba

C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

MD5 00bf35778a90f9dfa68ce0d1a032d9b5
SHA1 de6a3d102de9a186e1585be14b49390dcb9605d6
SHA256 cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2
SHA512 342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

MD5 836dd6b25a8902af48cd52738b675e4b
SHA1 449347c06a872bedf311046bca8d316bfba3830b
SHA256 6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64
SHA512 6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

MD5 577b7286c7b05cecde9bea0a0d39740e
SHA1 144d97afe83738177a2dbe43994f14ec11e44b53
SHA256 983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824
SHA512 8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2ca277630f3d3929b09e350660e7bb69
SHA1 ce235736f231fc8ea51dfb366ec7e25cfeae4b0d
SHA256 52d7ef9e3e0164b6fd98585d75ebc380b3ebfcecca23e0b3a00c2dc434a347cd
SHA512 96802dc1a9a105604814ee81bf8f356b23602b39b74ae6a43975e998c46dbdc48e2889405b51895a73d0513e6b63eee633c47f03ecbc9fcd1181efb701c5b40d

memory/4784-13097-0x0000000000FD0000-0x0000000001482000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/7304-13138-0x00007FFA0ACC0000-0x00007FFA0ACC1000-memory.dmp

memory/7304-13139-0x00007FFA0BA60000-0x00007FFA0BA61000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Program Files (x86)\Steam\config\config.vdf

MD5 6e6a2b18264504cc084caa3ad0bfc6ae
SHA1 b177d719bd3c1bc547d5c97937a584b8b7d57196
SHA256 f3847b5e4a40d9cf76df35398bb555117dfe3626c00a91f2babdedb619d6ad53
SHA512 74199ff275400b451642cde0a13b56709735676959d65da11ac76dd645ab11dac5de048ff7ede0cb8adb3a3056b3ecbeb3dc7481bac3768d02051e564c74b679

C:\Program Files (x86)\Steam\config\config.vdf~RFe5cf842.TMP

MD5 3cdebc58a05cdd75f14e64fb0d971370
SHA1 edf2d4a8a5fc017e29bf9fb218db7dd8b2be84fe
SHA256 661f122934bbc692266940a1fe2e5e51d4d460efb29d75695b8d5241c6e11da7
SHA512 289c40fae5ec1d3dd8b5b00dd93cf9cada2cb5c12bcfefea8c862ddf0a16dced15d6814dad771af9103b3a5d3016d301ee40058edde3fdea30d9767146d11cd6

C:\Program Files (x86)\Steam\config\config.vdf

MD5 a2ec2e91c3ef8c42e22c4887d032b333
SHA1 e2c738a2e9400535b74e2263c7e7d1ecefe575f2
SHA256 8f9f970835f133258a7f740126012439385bbaa5a1d6a9d0d967a390977441c3
SHA512 b069d241efb19e09ec8b5e60ef6c43e00d5cc0f774b9340127c2180356dd1964ac625c1afdfaee5f99e72b26f56046fc329aadbbc365b403af765a55e9c9aab3

C:\Program Files (x86)\Steam\config\config.vdf.async27556.tmp

MD5 5ecde1d3bf5d98e8e15e3efb6ce0242f
SHA1 9b1b605b29034d049362729910fe7cda0bc8df8f
SHA256 b1ca1dff5f310a854a791b862e7dfcf82fd571387181b23a5af00a6596e98c81
SHA512 a269acb04103dde47f796eae52d7b2785bf644d5090b1de2b1ca5e48b584b9a065dbc3835a865b6932e00d817d91aaaf6991efee090d342fd00ec4d0a26b5bf7

memory/27556-13256-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000002

MD5 2fed1645b3d6857e061b7bc0d2850494
SHA1 4cceae6416b4275b18a172eb9dec60c16e874753
SHA256 bbe87edc7f708e4f75d90f09135220e03a29ca93730f30da17be4869d0a1a436
SHA512 b968593188c7558f41c9d809d027ae9b29a6fde2be2c5184a8c6bab579eb572be9a9df5b4a2ef4e15698a00377b36b839f80bbd9e4e7b2a401f528b9560452be

C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000003

MD5 9fa060a599b0ee1912f2073ed59df3c8
SHA1 eaaeef616747d09506c6ed1d96901d2c8d1ad4e0
SHA256 7924474a8f327264982347dc932997ed49890ea4114925024ba678fba2d4e90c
SHA512 93837c0d1bf848ff603073bce6ac252f770a35fad094b294609682e11b04b463292c74c8440891e89741f28fa67a888ed6fdc1575fda99a3c2b6065ccc4e7b47

C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000004

MD5 ccca1d507e618047398d2b7925f6ccea
SHA1 107b142dfa77a1df956f8051b1569e7767d4a2e7
SHA256 f56b99fc2b763e22df8d023fb1d9dde3afa04c52560abfbf0fda5c75649c599f
SHA512 f1d40a2ae4369811f1fc44ade60b0321d42eaa1369f17ec998010470291c60b536e5a563bc01cefa3776b6aab3214c6e2c9b50234eae4b0fc70647df3212a37a

C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_00000e

MD5 1046f118e94b9be80b93c392ef392601
SHA1 7964bff232ba386ef811f90528a06ecae45e0ed9
SHA256 7562e901ec3a9d3b876691fbd4e13d72c7746641d91bda979f533994d106813d
SHA512 9a3c02be4a6792151728957bccb52003c8d14c8bd4be8ab69000ab2db372599e54b55241c74fcd1af1fac69403f4582c6497b9268146f3ff622c730e8fb0d2d2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b7e488486606b0766bfcb2f2ce513974
SHA1 99ffd5c73c46c8f559c7ab529ebce7e082f03e79
SHA256 623091934b817deb23f0c64215a6b0b1d39cecce6797708f020f9d4adc5b6960
SHA512 c36dde217502af8600cecd4e0dce11f987c1ab6359508bbbc57b12036d18820313aae1fb6e7f5d2488d5f0999c99457fe3fca16ca768b9e878d6cbe66af635d1

C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_00000f

MD5 23dccd50c1598cf87c321dd0e788e2e4
SHA1 4697f41531098e96b97de4ca6626fd86621efb1e
SHA256 167b5e3d2fc6a069ef986144f71f70ca1ed8c4332846757c8aa4792703420635
SHA512 00174629a41be7b3d69e0ef03041aab41adae416c39209934b8a9c3923350010ddf01ce8d37cedd6bd57769796b41ee3c18c1b393726988039b556416c20f676

memory/6580-13380-0x0000016F5D3A0000-0x0000016F5D3A1000-memory.dmp

memory/6580-13378-0x0000016F5D3A0000-0x0000016F5D3A1000-memory.dmp

memory/6580-13379-0x0000016F5D3A0000-0x0000016F5D3A1000-memory.dmp

memory/6580-13381-0x0000016F5D3A0000-0x0000016F5D3A1000-memory.dmp

memory/6580-13387-0x0000016F5D3A0000-0x0000016F5D3A1000-memory.dmp

memory/6580-13386-0x0000016F5D3A0000-0x0000016F5D3A1000-memory.dmp

memory/6580-13384-0x0000016F5D3A0000-0x0000016F5D3A1000-memory.dmp

memory/6580-13383-0x0000016F5D3A0000-0x0000016F5D3A1000-memory.dmp

memory/6580-13382-0x0000016F5D3A0000-0x0000016F5D3A1000-memory.dmp

memory/6580-13385-0x0000016F5D3A0000-0x0000016F5D3A1000-memory.dmp

memory/27556-13390-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ca22c97b02d85f5d15118be7b4f51aa6
SHA1 3d6df331f51552e69d322ac221fcf8e4b8892089
SHA256 f30c8387bb28572667f3f90772a52cd2e29c792540bb9821ea0a34cfee5d0b68
SHA512 e6442b062a454951955c4ac4c1aab4a5d01f892798ac3f2ff1ed63daa1bab10ff3329558fd528a989705fecb195691a692a8f2771290e4d4ed6cd4216766e7be

memory/27556-13412-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\UserPrefs.json~RFe5d6350.TMP

MD5 68b20851ccb9834d21fb32615e42bd43
SHA1 88fab935f0b9484994097c08f785e9ecb7d68127
SHA256 a954b528dd65ad6c4c2091fa32f17abdb7a49454ce88e10bb6c377734c70c26f
SHA512 dcb0771120c8fe35213d60e9abf4b242af807324759e3c99e9b2569c00a941d885d53ef6fadfe69e6b740e0b52a6008602605d643801190a2d29175a7d065e15

C:\Users\Admin\AppData\Local\Steam\htmlcache\UserPrefs.json

MD5 602c49f9246967bdcff45b4f43cf2fb0
SHA1 4c5796e0c724bbd7a9244cc8a0fc9e8f40181f2d
SHA256 a3ad9649c1038078038be1abd591cdba73b4b4f5cf30e11bb6cb7a432b746114
SHA512 2f273c0dd0127071f4c768cfe7277c6efff84c1ef4f4271c1326db3658c84261794b106af3198717f349fbaaaf276163700bbb50ae20fe52ed0a88a192d46f77

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

MD5 04fadd85a84148bbf28e9094e1739f68
SHA1 d5eb4564ba4cfafdf4040db5d321224d131c57d0
SHA256 d2b63af889ff7dcbc0b3df52b89e818abc577a741877ae54bfc3388334e56a14
SHA512 82d4cc7784ce46dc625f24b675fc3bfc6b7a3af92bc243b2dfca7bfbdc353fc9bacb2adacd93b4473be295ad7988d5237825d00d851fc426792d98e39d4e8163

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity~RFe5d638f.TMP

MD5 5dfd58690d48f3c3dab87c6ae7203c44
SHA1 a1d27ebe767ecebd48a7e63301cb77a63bd8016b
SHA256 3d2beeb930fab409718d11d96b6bb32a31ebdb118920636a72f91fed55e54a68
SHA512 6e464c1c8401ffd7398dd78f142c8601130711780863ad2cc990e444c33fab0b55b86be89bf0f43b686be03c315f4f51050955df333026944f8dc3d87f00ae29

C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index~RFe5d7254.TMP

MD5 6ef43d869349f17cb378794bf0d6a297
SHA1 113710dc57bf532459fea19dca25c8bc60d1d85a
SHA256 5d7d2133314f1cdaa25bb5d6bab010287a77667bfaba64aa95fec48b3d09d339
SHA512 3bb5345679cb5341cd92b9155b9b854089be41304b31375daa73d21d311352cf31a5cd40fe395704ea40346e699c9ea443b642bd5a713d6f14e7539a687c8655

C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

MD5 b765e7b037363f485dc9cedf7733ae57
SHA1 744a860502305e0348f5d8eec8daa9bf6a319def
SHA256 344341afbd4c36de3ea5b8c7b778b942af0a173c46bd6eefbe3671dc3b7e0d70
SHA512 91a3c8b294dca2187a22f4836d40a4726073aa43e5169e1f9c32fcd6d9b34d985e2bc6f7a12589a8e691c479ddcc9fdeaeee8b289661f8c30816cff4a23c5d67

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8ddb6a69c93b4bfbadd2d1c9a0a5b3a7
SHA1 081ab13ac6d3fa2b65264c7b6cfeba0997f5a70c
SHA256 972ed5c1f941c561ad36ef148fb8d50690b2a1520262bd49fe37c141de2f9d22
SHA512 a8763139ae4abda25a6cd6f4995f0fdec63f23d9d1c9effde75028adb430bea61ce01df414510b88ebbedbfa8defa97fe81be25990c688c15f02930d49263f0e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9f13973e5c3a1a24e75dd6551c9fd6dd
SHA1 e6466249c364279f853c4a4e43db123780b48c47
SHA256 75b1536826d98c2f89f34e7004a3ad982b326d816eb4028f912e053713a7bc99
SHA512 877ef832c76f53899e9d45d82f87cc76ad1b92230a1b9ac9950ad04f2c913a441af6c42c376a73a6957908a619eee293eabe96d27d5d9edaf161cba0908de353

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f79839852e4e7d6b20cb3e04663c1f60
SHA1 ab26cb83804780dae3c42e7dc134e47107390085
SHA256 4e64a82836d0c0b492858dee955a2998857f1dbb8aa334d47cb38a7f57e0bdcd
SHA512 efe0cda91b8454371e96ca5f542d4b3330cbd692b72f39b014987838e06fd6041ba69fab37ef423b3a45f39081c9edcd93cd10988883e5714da235555bf6fd93

memory/27556-13500-0x000000006E450000-0x000000006F791000-memory.dmp

memory/27556-13503-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

MD5 6e16a0e00a70defc9c40ae9ece97c9e5
SHA1 9772b4012ee94ed05356c98ba7e27e71283211d7
SHA256 82c83658c88de47b8e7da9904ca19299fc174763fcee974dd3c087b80b9bd532
SHA512 5e3984a7985a21d5644f5b579f32f408b28bfcb4de59764f403e4e10e08085e7b3f099748fa6e22180b6097edb4d8c20b676de182999155b13fdec4fae93367d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 99e1d893bba57182b124a744cf5c1d82
SHA1 caa9e6f561d703f68c2219e80d2e37ce1207f89f
SHA256 f6833df4b873a1272e0ca35a908d9b31b981d50d46b02aa9bcde622661c837ad
SHA512 5bd9bfa1522c7d8a46f191f86d6ef4dfdac248f3f58135956051af25b710ae0dab2f68080385cc58fe389bffcbaf30fc19523140937d363215bc967421c665c7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9c6fa3a3-ac07-4646-a672-bacac1a69e4c.tmp

MD5 1fdbf346f6d1c03d03a1c61082488096
SHA1 45f0098ab39ef518875c82e8854dc88ace56f848
SHA256 b6461c222110c03ee192e67affec6503b0c3393fbce44792c280c8f8e4c93fc3
SHA512 7ad9d7571390fbd65bc6ce77ce1301c5ad2f4b2c59bb6c5d4aac4788cf1de185b38f6bb5f490b9a12f92f7ea47cc13b43dd178eeb866d41a3b314026cddf4297

memory/27556-13560-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000063

MD5 6e0e667faace18dedd6545595e604e94
SHA1 87d9a896c9215a466fab10a435c88dfd4806fbfa
SHA256 f3b3a0b1e5e71579058d7d59b576d9145282f38da4f39ecfaa6391e3010bd885
SHA512 7e60c0595b6efaa71a0154b2f6a17450f292783d92c024b4c6229c7cfb577c3336e06bbc8329dc4efae46e3d2a3bbb2473e7ff5ae0d5bc440abfba7ad05a890f

memory/27556-13612-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a22db6d2040049b2af309b1b64e09391
SHA1 5d00a442ab177c0bdbe585a57d0e0d5e04fdfa58
SHA256 fda826881a8948d7c0f84d4ebc77eecdc0040ffa45ba3eb22adacf0badafdbf8
SHA512 c0253b42a21136d0e5b2cdf3dd7d194264a718171a99eb82b97f3c520828f0114c6974f9d24add606fd7d22a4889e946dc5032b7e7767810c6396bc69ff597bf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2dd9b559bc1130ad34fda32175bcbeb2
SHA1 5df76f6800f28b6401cc016d4590b60c5c976d23
SHA256 96ed7c39d3b0e51c224b358c2568977ca40eb17340ec747f55f2aca4cdb38074
SHA512 97b9e77d4c89bea10113ebbae10f84a79633eb0fa69556119b7a80edfeb0556e6182016cda2a4386bac6fdbd39aeabae49c4fb633598c759101568d797ffd3cf

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe5e157a.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

MD5 a40ba97a9313665d200c048c5fd731f4
SHA1 5820aaf5bab9db0f954d588435004df901d44c9e
SHA256 8d8a3d98cb37540a5d3ebe59363681fa397ead32b33ff5ac51cdd4e240386f35
SHA512 d2d2973a5881db138b7b9e49e419eb573161208725c20b40def728dd972b0e9979f876fbbf456234712f7cf9d4652be11d04618c66e2add99603743f19b94287

C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

MD5 a1128ca1abfc851cbb6a97a4b4499d54
SHA1 9dab90c80ac751b607e342ed2276e333c66d4979
SHA256 91956b57ab4bb635985dbd64f8b937bbb7e0a0d2604bec7fcc4fb5ab46c23be9
SHA512 4562848faf1f4ae337852793af1295db363a2d206eb43ecf4af78b61897efecaaf6bf42cbf2d2d06c79c9992bd91ca0f03a6a9886b655aab8e370a46148fc997

C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json~RFe5e1fda.TMP

MD5 3c924cf9b3331defcacd5a36654b1799
SHA1 c65865a59c8d6f828b19c151d2d6fd6cfc45f5ba
SHA256 c5e37fb8e63bd099b3756796c646cec33be3eb5ca0154b4691e004ed0ef33612
SHA512 34344d2593a91dd98bdd9963c9c05f7a1408cf974bab90de97c2620db887eb2176b5389fc38de9e461fe13ed4490f4c7e24b560a7768113fb05a05fc3568dce8

memory/27556-13654-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ac5d891a-8a3e-49c2-a3af-990bfafd6a2f.tmp

MD5 2fa0aa992d3055e5eaf2e3b91e69186a
SHA1 9d0df852e2d3b9e1b9c4883ffaa39c00eae3df25
SHA256 f126fb9c02f60e3943b8d6f48bbcc9a1f35aff1b33221ad9523535cf4b819589
SHA512 d41da6a8e0623d95fa80a11a9d565f0d9d790699fc50c74051ba3ca2c87423ab36815925b43ab657ca431cc75c5cff940919b0883a3a8d1b27520c2b47d55c91

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e89655de3619492d0b174902da00b19d
SHA1 d463a9d38e42ede083a36fa69f80923ce8604d9b
SHA256 cd527842670ed00cc4a159cf3cfb8487bcc8108680530cb68952f474b2e582ce
SHA512 1d118b05cdb4e0093921e5484293a8724b73aa60543200313ec23c89c83d944d0566f04cb77e66be48ec0d35807fe62b873a126e9bbc3ffcbb872d97100c7d84

C:\Program Files (x86)\Steam\config\config.vdf

MD5 0e4a9b142fcd28fa418837ccb53ba375
SHA1 f184fa5277aa80c4dcf979bee7b12560318d0e40
SHA256 873093d9c95d678208c5603721904c000c1074c86b13e7e9947669b9f8290b57
SHA512 bb19041b2219f5aff428444ef8c48c74a174a58032233c87d794c30ff104de729f4b936321a108e6fd5e042ee0d771f9608c1770b32a8a2645867f3c6b098b2d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005f

MD5 98eaf699f517ff88bb2f595bddb2c5d8
SHA1 eae1d3e4c6e6a8f9636c0efb0a04ecbabe8b63ca
SHA256 7aa34824dbe8dbfd8011576a365dcd057127406d61702634d69f0240325cc582
SHA512 7d9623ca066012a200a01bf48e0617fcfb35cad0efff091bc3b7931e98b72b95df66205cfa904ae9b84d92c9fcea421b366d9ef3023c023488cdabf91b5ef8c5

memory/27556-13705-0x000000006E450000-0x000000006F791000-memory.dmp

memory/27556-13706-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 43f8a7fb310d8b3ed71dbf2d0bd99517
SHA1 10a883dc4558a4dc0a18a66238ddaca4a91de91f
SHA256 77eb1d83964fae4b1a68a915bfa998c2e417abc48ae31d90ebdfb39f52080150
SHA512 f138d5142d740b3eeb88005420a1e4731dbfc54c2c2f3ea459ca3c8190c837cf6f54a269f39e7691215147d1d4f815b21e1218e3ba5cb535a60c588630d5ecdf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5b94f38cd5310fb7804699753673dd32
SHA1 7fe6a1edf205e3a7487bcd31fae72c5665b70912
SHA256 5f466f4ba0088074d46b3c2bd77f770179e7ea80032fd9ffc23ab1e0b0b67bd3
SHA512 23cf08479e9d9a029058615f6b0321704a29f05f0d9e2dbefdd63a897264c934670dd059b1d86d738afb406cb386b3790cd2a7df1467e925374a16135b3f7c61

memory/27556-13738-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

MD5 9a45b4055bfe9256081cabd7d9f8d632
SHA1 ded8713c726ef7a1689429c0894ed6766d18f44e
SHA256 cbabc87448d69693a3c195c381459f7ab97f7c9f3c87f387ffcbb171ddec2010
SHA512 203787a8fc6da4fb40ed9e57f9e19c1adcd8938a7c86ea3ac807cb356cf69ee693a84027f4c26a79c00808c905cf3d45723acf0b51ff9ade6ce207f8a03c8ed1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 35f6b59a4833ac07e911308532929d76
SHA1 836ca731d61a289625527bd42b69a6c327709152
SHA256 f4690f32507c6e5be21c8db3c2c00a1ad5fea4b3ef5bcb27686364e466ad86e9
SHA512 9705242496cc86cd033e6350c06647ddf43c320419bd4c5559fb6caac3c8925ae36727b398884332a000bec5fa67796e703425a5dc821d9171f546a5abe75fbe

memory/27556-13757-0x000000006E450000-0x000000006F791000-memory.dmp

memory/5316-13760-0x000001E4D84B0000-0x000001E4D84B1000-memory.dmp

memory/5316-13759-0x000001E4D84B0000-0x000001E4D84B1000-memory.dmp

memory/5316-13758-0x000001E4D84B0000-0x000001E4D84B1000-memory.dmp

memory/5316-13769-0x000001E4D84B0000-0x000001E4D84B1000-memory.dmp

memory/5316-13768-0x000001E4D84B0000-0x000001E4D84B1000-memory.dmp

memory/5316-13767-0x000001E4D84B0000-0x000001E4D84B1000-memory.dmp

memory/5316-13766-0x000001E4D84B0000-0x000001E4D84B1000-memory.dmp

memory/5316-13765-0x000001E4D84B0000-0x000001E4D84B1000-memory.dmp

memory/5316-13764-0x000001E4D84B0000-0x000001E4D84B1000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

MD5 9dbb685bf84c50d943bb946526c99683
SHA1 c8e68b6cef8e33563fd1d7830a6039c37aab793b
SHA256 e8d3bb1bb0a588a595f8c09ea51652b23b67d36862aa41e6ef0b6723db9e9121
SHA512 742af52d529aae0951bebaebcbc1b894bacdab9299204b8761dfae1165537c992284278c66e8bbfe6e5a2372b888fdb8b261cdab8281c00960c5bfede3e60893

memory/27556-13789-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

MD5 f82e4eeb7105cdd89afc3f10decc8f0c
SHA1 49a2f94cf01c513a9f9f9f3d073bcd972e4022fb
SHA256 a92affff00cde56f4066f1ad1e84409a768be8dc73e81174df86ad070c3b08eb
SHA512 2aebad11a78780497d48bfd79d0927fc03133374618355007628cca2443f08cdaa7d48fc89d88ecba3700082f296c7bde92f84a280c3efadf2dc1d4bc99042e3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 588d1a1080d4f38245bfff4fe1c36f86
SHA1 537dbae09772866d8fb6965b92937daa2035c4f5
SHA256 f11fe4f03d305b12cc45aa9ad565a86d350bd819740786bff5dd01c05ac10f35
SHA512 1e32e4a52e3414115f8a446f13b88c4ba26bbd034d5ec1ba77427ca40dc27b5932cb30e54296b8be4c68aa6053ed7bf750911e00f43a4f14d29e3468600b80e5

memory/27556-13808-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

MD5 e1653a8da16f65f82deec9879261cd91
SHA1 a93fa8403e8dcd90c3eaa733caf77c7100c2f639
SHA256 b299a40b777811884ae88cb022a16723b0f083a2cf205000b87a57476b2882bf
SHA512 cfa9850957235b7bed6d3a7c8c8117fade88c35b57001115fb41a37599b472586214d6dc7c7be47c20b37a7f6c23fefa27308181eeac1ce7379ddde6a5d459db

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f9940160ea54aacd6f09ddf6aa059896
SHA1 4bf440dae4ce6226c27c5f6edb3e93d32b71d622
SHA256 36a86a21a302c37c6bc9b1005ebb5c5073e2563fb292bc6c6356d8765c454435
SHA512 4f5fb781e7cda83fb564babff9ef7f000aecbd459565fdb6590c6863ca6b5c9b3b72933c71cf0f7526c03aa5fd0e774d5920db4c69de8fe6f535b552727a57cb

memory/27556-13847-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Program Files (x86)\Steam\config\config.vdf

MD5 f25072b9f34f77056817fa68907e8c8f
SHA1 6edf11d4496abb9e726c65c618acfef750da6962
SHA256 9cdedca9a698ea3c419084a4cc53f8aaf670cb26d0d4da68e5f50cd7f644ea35
SHA512 dd8a2bb28ab96f31e778d1699420a5a5ab141e0b106c101c831e82b00bce0688070b251a29cad4a1a28b9c8c2343bb3cc6544657bea77adc50402e744cddc0f0

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping27612_82134012\manifest.json

MD5 2ff237adbc218a4934a8b361bcd3428e
SHA1 efad279269d9372dcf9c65b8527792e2e9e6ca7d
SHA256 25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827
SHA512 bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping27612_82134012\LICENSE

MD5 f6719687bed7403612eaed0b191eb4a9
SHA1 dd03919750e45507743bd089a659e8efcefa7af1
SHA256 afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59
SHA512 dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

MD5 06ad83b80474c94aa5d9d6f138868f8e
SHA1 1631b034d316561858a7f5a7b03cf96f8cc82f18
SHA256 ed9174293358d286bb22e3d7ae1bd13801cc29e04f75461af82fc316c3cbdbd9
SHA512 eb0cf2d5720b17a48c101606a5392ae71ab83db9f2a6974c3889ddd9b9416323e9a7a84effe9e6cff0a8b87b0faa760e2e4bc23ab420b58e4ca4b9414a710f7d

memory/27556-13915-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c5760367c32b07026b7543ca90b43fb2
SHA1 1ef6e72a4baa4e66a795350704dde251a215a47c
SHA256 e0efb027f984668f724ebd5b908304dadc348b251f2d092aefc2f04868b5d64f
SHA512 0f6e8b2ffbc86aa72f2a102a6c03f2cfef52a46d53dddfb7be99ba3afc5b34587326c03a42708d9b588ee1cf6ede4c99ea26eb7207d3347593311f225f5ff2d5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c32677dce0aa9549054450438003a641
SHA1 241f23f3cce1747019232f5fa64dae2ab4f15bd3
SHA256 064bb38535616a887db972dbe14fdf083c7b2d4b1ff6e4d88167a874ad7d9d21
SHA512 dfe3940c9d46f9f7342446f669e40512faac22b5534d4c06e0097738fb8b1da8ce8d9091ed9396e7bf6db85fc64e7374293ba778c4c781b30085e57573a732e3

C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

MD5 1eb430cec635d8a5ae23d40fe38de886
SHA1 78fe62640184152098e35876e6bbc21a50888c58
SHA256 cee3788351177c2c3db56089f9902c3ad760ac814fd77a91f18156cdd0db2e63
SHA512 c456d0621a84939dc85302a376d109dedf55a7a7639f8ab29c8050f4561a582a423f1e73c3f01f0a1989e05f95fdf80e5e61f615636968b2133cdcd962da8bd3

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

MD5 9a2797eea663304ed0bc9b348d9b8c44
SHA1 72ac130778175ce53c84ee1d5435e3459701c73a
SHA256 818402a8bce9f0ebf050d19945d08b9a8b8aea83dd0fc501d6b64a9df09caa9a
SHA512 5ac3a3f901f77acfd0507fa241455adc1cb0c78e2b36ca1a79ecc8ce2800d7679e62708f514a2ee16dc9c798646e2b4e1e3939a710689ab5994afdb9ce496353

memory/27556-13961-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

MD5 83f7221bc57827c23bf96c203ab5cbf6
SHA1 afbbd55b29f1c8d77bf0b0824b937e7106531c47
SHA256 5ec5e2fd5da60f09d65e4b774380dced8a995e8089b9b93359074696c0d75277
SHA512 e0c0c551961019762db024fe2a6da82cf7af49c7adda12086a7dd7d703ebd88494c11ed975be266b916e4e4d1fa2cc981cf8ff2a28cf7f7d9f84d2f8ee2d72da

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

MD5 cd4ad679235cc4849f45a63de192363e
SHA1 3a6c1d999a09b79e7adb14f908a342b3065896f6
SHA256 d5145afdadf9ebe46f51f5dd5df6b33785f9a46246f3473af11d06abd4ce7cb2
SHA512 fc95628e3ca128f4ebedb2fa1244f9b2cc2036a6d8b57f229a8ba56644356b014f0f16ad73fcf03b503c9bab079767b56ba754976624b6c57af9cd501090b434

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f1c5e89749395283bf81b193869b7076
SHA1 480850ae40f53edd6331f594d0b31a9ff55d787e
SHA256 aa9d5708aa54544918ebfcfc7a4f02e51169fd9043fe85286accdbf5e4e86124
SHA512 63e03f3c6654ffa88aa1f8cf164836dea3931a066159868b0246ef20d77525bd65093142eebf4260da99bcc536fdd258edc97ee3fe8df46c03d821ddbee5f81b

memory/27556-13989-0x000000006E450000-0x000000006F791000-memory.dmp

memory/27556-13990-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 78f578ddb1d0d1e652764095b60d420d
SHA1 5be0e1adfc2011662c124ea6bd0dc6690a6b11ab
SHA256 fccee8bc3aef21eb4209a1c3aeae7161a43e818805bb1201840fe6b35c81238e
SHA512 69b77584c080c2126c33079ea44f3e284002cc09e7aeee6b6e151af3d13780f6268993f40f8639e2f4cd8afbc7421f4dd43db03e6cc691f8057c9b862f445487

memory/27556-14000-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6e05997a17a95787f4dcaa0ce65ecd70
SHA1 577fb7fc20d0436f46eea643e6393c8d580f4b8b
SHA256 5958be2cfcffb4d86588004646eb6837352a061d64d8271beca05d9ed80a0df4
SHA512 6f62501ff483f79d8a0dd25ca746e647f270cd219703df3c6f68e0660c8f95f2e5f72e73a2e7e5eb359d59708ec061aad74acf96236526ba36ae8559a1e22ae6

memory/27556-14010-0x000000006E450000-0x000000006F791000-memory.dmp

memory/27556-14011-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Program Files (x86)\Steam\config\config.vdf

MD5 283daa92574548175849e1c26f43a034
SHA1 ddd92123226e3e3f4e08692e65c0a912a8171610
SHA256 1422babdda72cfc5c10d85bb392a805b85e0f88b3f2d64449cc96149f8885679
SHA512 cbdd0b8801378bda9baf30fa4f69448908bece17164319c17f4fa20a3491470f061f37903fe449ab85090aa7d05ea732ac9dc345a962f82dc64be7d19146603b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2598324c8c9083aece10b4acde14b549
SHA1 2881f6fa88ad0282a2dfbffbc83b61a680b5a14f
SHA256 a6ae08d1c9f4e380b40b30fdeb037baf61b5f3b81abcc81deb22a743219c912d
SHA512 cef1f6015bcc2dd113126f0ffde584070f87523deae058f7bf4c3fb354e4528333d88b4fb5f277f71a82cd8fd88c3c927c24e83c8fa8ef0ecee94413d1549836

memory/27556-14030-0x000000006E450000-0x000000006F791000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000013

MD5 1d95e2bf44ebb318972a0be7f62c2e4f
SHA1 0a2adf6949449c7e5a35b8618365db84fb822f49
SHA256 d67b3a4ee9bef0835d20d36f3b16e0a332200b8fa88646db78cf8290ccbf24e6
SHA512 00c42870eba476ebbf28ff8978c1db3e957759599fac1a681784736d848bd98cf1d7b7910ce2f1d43b4dcb94504255963ebb762a43790edad19fbb48269fe313

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 83529a612885e55f580f73fb2dcb8b20
SHA1 42543272a9de1a24d6c5abf8765cc0155e5ba1de
SHA256 0216589422838112b23064c68df64fbc76264619f35eaa4b379fed273d397c0e
SHA512 70fda06885992139840486bd022010514866865a4f26809f88e8b05353fea476ed448f246a8525518b0faf68be138b88b94bc73b70b39ee24041cd6b36f93b21

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

MD5 ef685b89bd034850e4987f0b960edea6
SHA1 ce2279dba64fae9d830ec44f261e977b5e67265a
SHA256 d8b210febfe630107d5ef0028f65caafadf1acaf14534c589bbf57772cc5357a
SHA512 c7e54cb754d50a7cbb5798bf15d8e54ab69ba03e60b320112d1097455e4ddef94151507c7c27a1a33ba06da65d1456252be1da0616736fe8191bc7eadaf82f41

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

MD5 599817f2a4cfba71e1a72394c65049d0
SHA1 73f9f659268598aa5d3ea74a2607b63ad951e195
SHA256 90c06760c9888fe8cfb7be14c9be91c9139a64eb0e6cc09f52a062a1b9b16fd3
SHA512 1ba9d620f356f3b018828529b7757ac59894c137e88aea31469de233692ba6fb806afde05870547b139e886f162c1b4d24ff393d7777f13d0fdcf15a54434381

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e6e5f585743d4575dbab12948b79f8bc
SHA1 dcf083eb6aed53a0c357faea8b81c4b222a34ab9
SHA256 d8aaefe33ea4ddb9e0749655655c6742ba90cdd0d2000a5ecbd6e3a716c28c2c
SHA512 bd2604475aaf115d01d80d3241a4c0cc03663df4741901b61a3609d6131d6a74dea088ecf9d86fedb08d079048fafa7c304998684f879762ea9663128ca869c8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 07c7bd94671fc5c7eb5b2cbc6534e730
SHA1 ec3cfd86e5b1f5ac1e973f2e921fdaca2a710e4e
SHA256 d72be7ee1002369ba39f7544cfce7dbc501208bcf2d4065b3aea609fdad97269
SHA512 d2e491df8d42088f4c0e459e546fe59a0a9b0c73b8999d327527ce844e6583bded1a68049ce936e9fb7b589b15758cf9ae083d97bd3058cbaab32af860cd04fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1c024da58f27ec2a2a5da59ca5cfc058
SHA1 ece1dece80d2b32804369d8d9a6af908c23c7102
SHA256 738a5b1d5f74ea90150e2d55ae65c20577736815efe0e2e6c49ff33a83d85968
SHA512 47efd7fb6e7e28875d0ec12a90833582a36ed52d8617baa671e7ddb8465734902eb056e0c074e2c329792ae9d74e102fa1de0466253828199ca1d52c3feb415a

C:\Program Files (x86)\Steam\config\config.vdf

MD5 0f912a0bb9ca57e583465f1015807e1f
SHA1 445d08aa35c2f68c17c953a2b608ff05254cff68
SHA256 d6f5034f77133de4af66fa9c8ce99d621540ed92a95eeb317d0c8332303f5a25
SHA512 bb30a0ba28b4581e4c483d2187bb3610f5768ae47c18532de2202bf44cc848bb87a6c2419ccb7b2130cbda0422d5809df497c16a1fd08e5a48eb10236ee4f4a2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 20b2bbc00f06e82dcd002e2a0042fef5
SHA1 4db4889bccd3d2d300c6ba9db582877b34454a60
SHA256 cb4ab2c37bbcf09ef5d6ec73d595f769bded9a362080b3fc2cfefe4eaf354942
SHA512 fc5d75691445314eac06c3293c048de92d8c90f4dc574520c658a9f3ced1eeece071bdc5315589065317fbb94a160d4d568a5a14db5b052e6ec1c859f86aa903

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 354eaa8e1f9643ecbd6c576046d0ed7d
SHA1 a43bf9b8eb046cda75e5c2d09fbdc23f408f1255
SHA256 2b94378423574f23d6b369f68e222edaccdae6b26a5b6fc178bc30f4bf88c891
SHA512 26489983fb4155b4d500264201da8dc12593dfff5d534d26c57d7fd0c6e67991d7e04924be12d52814933283726cdff3fc15dfcde5128560845711788a483073

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 155263a1b812f3df370b5be0b974aeef
SHA1 3a8742ace751621ba0ffa12dd86693e57354e921
SHA256 71f41cfaea97b79c695b375bf9d4ab583fb764a7dea445cd7137002a118d7c60
SHA512 41e5765e520f056ddac596414d918d1c91b1d8ae3a97585e53fbef73e22d500ebc26313a576404b317fb37c484cecd0998289f8ef20962546444a29612b4159a

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

MD5 0e83a99121b4de24822e6dd1303d15fe
SHA1 a15a6ae96ebc10881bcb6359cd8aac273529ecc9
SHA256 6206743a260b6b691a7ee627b5fee2e1b800b9297cba7f65b486392c4231d807
SHA512 f7b30c6d3ae56e88d9037367e804531808b21e4583f2397a0c07fa57d796208d26f33ef11df1575a6b3d78d7d928801dd5254667afdeacf8cf4d00f5b3eaa9ea

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 410992e4cd78fe0de0676a014558229e
SHA1 af195ff11ef35f4302e0708ae46b1b9d3afca10f
SHA256 6e2de6a434adf7350a0ee0ce5223652dc6dc6cf30c1981acf512c9a95728670e
SHA512 1dcd0b46dc90a9368bc05474b15dce1a9096f411c20f0f60e2f6611b315c3893c903b8d2950defd9a32159b06c319d2d60479c9d66053204744ce2f328c8e2ea

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fc5a553fe35438e9bb8b70259d56673d
SHA1 7f77e750a935a7dca33e1247aee3422b77876eb9
SHA256 ca004630578a6e5ef6b80fbf709bdf4a7636e4c127f2c001374a5d12d5b0f2b6
SHA512 a5c63a8aabb231af524bbe29f5b0617cdeade42fc25490ae36d1d1b6e03c7b1ed885458c3cb06b0b576b94a0710e1caaa47ded05a125dd9d453e9af042d3beee

C:\Program Files (x86)\Steam\config\config.vdf

MD5 e935c805f5148931cb0113082872ccff
SHA1 3101463dd9792a055e7b853ce6dd6697c18e672d
SHA256 8dc27cdac8e092b91d60177a9e6a2a0fe0ee0689d236c154cae8dfda8ff14b1c
SHA512 efba2168c3b0d7359e47341a1ca2ada91ec4e44670d69ff2895cbe6cda70e43f33fd8fbfff7f3bf0e1198971827d671f1772d48439e10cba1b0ef7435badd1cc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bae0522dc59c18facf5faabed18e94f2
SHA1 f53d203f03423579d8efb52e376da014af4d6cac
SHA256 682289495f5f7be3028f9814c6c3f8d522c43fcb810512fd4f96ced2ad2e73df
SHA512 f2fb04f64c36b0aa80597faf03fbf1b44b69fe1506af3d715a9482e85ff47468f1b4356b8439b8f1c92a01c3764708c7209f485bd9713bb56c5d8c6c94eb2746

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 03a6fca61e0b9889b9c3ba4077a69312
SHA1 d08a2e11d6ab636c80a9822a2880439fae443a7a
SHA256 3fde776ed91fc3fc3e0c5b8789d1f807e79679084cb158178f42b8be1478a0e2
SHA512 bbb0c9734387578e53d8009aaf073ebc9bc174ccec7b9ac76c51fd11e9f0d792528487a717a56d880a91d571692dcd160fc19c46355e0eca9b8c8bd321cececf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d801270346fc4d9348311e896ef171f0
SHA1 2ea9a721a998f540dcee2ee80951782279a303a1
SHA256 e857e83b90ffed87f3d468b1bb65a23ba31f55ed0c3d08bc7343684e90129894
SHA512 80eb3714adfbaa843604bf82b45e2a389e54581fefb89238198a41e630f57193c08bab91811b794058e2a9c49e81c10343c0f23f2a323e0a1f5f73cd323a29de

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 67d618f689d65d9a48099389a531f825
SHA1 e4491b395d081264da0c5ef4db36a57b33ca7d75
SHA256 7cd2271770fcc8b14c8ee3c368fcd9837c523e471793d0d0c077141a12af28a3
SHA512 134dde54026e45bfda1fa453654f7f3480a604a5c83ee1a2faff37733fcacc8e95b388a3b47efb37500a65113eaceaf3e5ca50f5a5b6ab8511e1ace650700afb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4326f3111bb7a2ed184c22fa2448e98d
SHA1 201916fc28e609f1d696184fcbdbfda6cda5225c
SHA256 23629d4e9d3f38b40c18ecc5fe5acabe4a8915860496334c603a1e9e1ea4dfd8
SHA512 55757f02148872dae590a61ddd947d8cab6efc318a883db46b3c027090315e1c496e824a778acc373e4fc71744c4a2f5f7dfe4f1e4471485722491a70e227c7d

C:\Program Files (x86)\Steam\config\config.vdf

MD5 a4603c85fb5f9fc3b3559b3c4dd8f5ac
SHA1 6143a4c6a230c528d2e87e7fe270cdd3657b5f15
SHA256 06d5a3bc308b1e10b12602d328cca1c83b0c072d4756bf2ad737ae2931a11386
SHA512 efd89b342cb4d64e7b5cdf840e7b89c238bb453a2c08238f161fe650e40719d750188958815cb73abdd3df56bca6eb4c745c9f64d515b858ad8a556b0e64afcb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 59b34272d6d2a5e8dcb920379eb8b97a
SHA1 beeec5e39624581f6b299c9830f15b27338e1021
SHA256 7d05c25046c13c6fdc2a36cf2fadcdbca8bdd5db340d6d15fcecb51374b31bf4
SHA512 66ef0192a51539342100386a36efcf29a26a78f2d89b51c3e83dbc99c76076af20a09696e7066788ce81d0cf10336301dcbc771a3e125335d89868f61217c14b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c68b773a8fa180721a3543009e6a3b84
SHA1 9f7f66050a15717b5fafa77d92dd9091baf8400a
SHA256 15d0e251de5d79b203a930b592f496369967ef67c63e21d9e463233c203eaa5d
SHA512 18d9ffcff9b5ecbe75106bd59eff65f2af1f82e410ad93d12d6c6261935207a5c915f5e9b23cf305fad999f0e669c4c4f6e2c162035892b7c1b0bb970f7182b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8584e6e6f580c290840774da51d2e9ce
SHA1 f8acc32f81131d517afc5458c690df89c4c926b1
SHA256 44e38ff6ae4cdc731021292ea63931a5459d35477ea9acfb320076e99942044a
SHA512 f129d2c4ca8d5e20dd1638fd7fb205495ff9bcfd47e0da04649feeeb54b135d06ed175bc6caf043832c7bc5e0279acf4fd052868dc6a352b859880db6a5ee1b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4c8e2fbdaf56087bdfe9f882a5da6082
SHA1 932cfcb805da757bac01024f57f12a5161ee460e
SHA256 cd300ced4be2e8e3af014ca8b7aeff82b1140184c09c25fecb3e09f050806a7b
SHA512 3e9ce7b9fc2198e62f9997efcf8a2a742242a8d4c0d442287be2e5487176a665a8164ec8a66fce0a942f5c2262e49ea1e66e194ec4edbe5477e94b916460d3b1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4c26ca0ab70bc026490b3c71bd5b0e0e
SHA1 20687ae567481520882d859dbf24243e4e46f14f
SHA256 7c3e09050aeadd39ac31e617b03235167c81925f07fe071e8e297ad115ba90f3
SHA512 ea83843947ecfc35fff8697cab3f9112a56e37188a3b6b47f529bd34ac48595180ab04419d7365a7cda433990d0eaa620d2623a1f106aabb8c76fc589d3ac974

C:\Program Files (x86)\Steam\config\config.vdf

MD5 396cfd6ce74284881967ae2cc9688f59
SHA1 7b5e9b7ea9b9502ec458dac6d85cc012bf72dd77
SHA256 d02d192842a2bbd3567cbfa7ba26986a282f17b754b81f14f84f314aeecbc98e
SHA512 586ebff4a533825283c2a1d378e18f644f83689d4feb91d64044314335afa61f9b24c8e212e61c0ca85cf838502653fc6b2c10cb545d01549ae5890b48d29737

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 dbbd280ee1d1e6d73ed6e15b07251828
SHA1 4549cafa01b4e030a6be4c76d5dc080184bff357
SHA256 a3c37ade2592ff3111b58557aec250af8f0ac875d0b80e1935d33ad14703d524
SHA512 69b7d392da9398b18ee0d7735d611d841c67f16c0b5347adeccca3d5b251ad483d3daaacac84f06888705a8d03fd99fa51e9d14c5bce4b24e060103ab85edfee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 722d3a1280747d7e2365af84a627fb05
SHA1 02a648756a695d4f8d46a785a2fbdcf135472f17
SHA256 951dcd4e0152c1108cfb9eac32732dce926ce610438aec306b5f4df86e79eb15
SHA512 f188e941737d000b2f15ec0ab95a796903969bfe7f7a6c82099f5b2559d9e67129ad9514d7a11d4364b9c83ef5565d50a983a1f8f507f265339d7ae30a1aff4b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\906f450e-2fd3-4c76-80d7-11707bc3020e.tmp

MD5 cd6bc7859a6b739a4b543085c5a77d41
SHA1 9f22c6cdf4f0bdb0a1527841960b26a0822a2efd
SHA256 b7e8a26eadb7e5bb9b8c04dd8c64523408d88f8e1a76ec47d1ea9254c6dc2db8
SHA512 9addd8812c5315f6f8b68d75cee92be151d4c1afea0d85bf7fd56e0ea88794d448421d2d2fd8dffec2e3d904a89b954e594205f1fa731bd0d5becb1f983f1710

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a268e09f07c70a3ee9281107ee3e27d8
SHA1 94d22209cdf28988d03d56e156455d1f3961c3b6
SHA256 2c85dbf32b276e5194ab2236fe7b7d4bc3581d466f1190dd1ecf2debfa51637c
SHA512 b8ea76e1f70168b25dce40b3678957540485cd988c3a34bd3f1acd53a10edac0b182327e8ad8827a234a3464db0c756ba1fb66b5323fcbb9d8bdf740a6b8bb2a

C:\Program Files (x86)\Steam\config\config.vdf

MD5 38fb0784ebadb266994ec4564b92a5ed
SHA1 b35b9479199344288aefd9c026abb5ee6a92627b
SHA256 1bea86bb97d0b42ca3ea1ea7aef271861bd1707eb1cd6915aa5237faa6444754
SHA512 c3942a6b0863b044b7f3b768aad29868d5138412224e63da091e43fe0c598fbaad28042b9a6759b44dec72fac2de47b273056546dbacb8f65a37fe1942f0b1b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 09fbc04ad5e8884a53ce2bcf4bca1c13
SHA1 252d37d89a16d629d5ab8999d0d16d159ff41f7c
SHA256 ad9169788fe02d9e7533c525fe7151de4320fa0720c193ce8f67272e52a64311
SHA512 c3a3ffac07764ad27333671b33f61f67b4c866322930a3437a939b08e96e723cb5d2fc39747e1840504409ed5f75336d19b57ca5253593a357ffe17d744e9b9d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2c9bb33a555686d93f5ad162310ae500
SHA1 7b12292338d8fead896cdc7535add3f6145c4455
SHA256 8e6139043141f205d93f75f44faf6fc4e06dbb7ec22d3bdda38467f5e21614b3
SHA512 ff75e3d9669b833ca9f36075bfa9358134d7163bba550f3442763c4980ccd5a4e747023b97357466453968318bfa0474e0843604164925c3d6cba46789ae0dc1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7c26439673e8b7cef2d6e37c19edc273
SHA1 b05048c9eaad8e910c95d18c4312f4247b977467
SHA256 8529f6e35f9561733d6962c749c44eda8927ece71ab6bd218f2b75416ec4a232
SHA512 cd9f8e0224789ad4f649f3f610cdfe80b7014b9d60ab6ec4eaeb426fe1cfe8aed41abb4fb57bff2ba97fd747ff542871a9908b1f857dd4b6421d1dea0b216e8a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c99611c5355762b9e35ff33237eb182e
SHA1 fd12820fa9e5158bd4d630a55e44051fe68b6a68
SHA256 cd6a2d95aa22ee6aad8356faf2b33b20dde4fe8be799d4258f5d93cad2380a81
SHA512 0cf7cbaa7bcabea994f520cacebae443a75780159d06c3ecb92ca0604e609980d945c401a0e1a3ea710312c54c44e079b0265acf1dc8f4f5b4b511e0476ca1cf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fa4c988c2eb58e3db8d9bc154e1016e4
SHA1 a784c1d6bbf924adc599f1f3a3b37711e3847e9b
SHA256 d4549f3d25787e30141a617b3c1ffc12e513a4de4fbf772e28b0b82a2bc45bc9
SHA512 72facc328570c9fead7596d3669c108c0eb0ad2c1d300dfaaff2ea45155d54fb73a20808bca072e8ac3d8e09b0a0df109be782b9aa892fa0748992edbd86f2c4

C:\Program Files (x86)\Steam\config\config.vdf

MD5 d0caef7f7b9aa89f73edba2464a37455
SHA1 b6d9822089a710db0db66a0b26ebfd1a83e9048f
SHA256 fbf1716e914f07c797b07c11b66deef8c8771e42af48b11f760a485dc4607368
SHA512 34c2e65876edf8babd53073c48538433914e342c1d432bf7cb015af431c5600c22b0e3ad3deac03963d40782efcebf102b79e5985acc92707179094ce2fd2f43

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3056e620acc0df36f0925e06099011b7
SHA1 effbc610405c4f931041b48c2ab8f62303b0c9bf
SHA256 556ff6b13f96a027beaca5d950c6b9a45e05ac97120c615f98c4994e4152f948
SHA512 263f9af6e7fc98d3808dc727a2a63a4d83ddfe9ec6b4e6a12692313f7bfcc3958d9f05b9c064a23c2208dd8eb629dfe6d696486d01511f45d4de3ec42f4d84f5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4c98bba8652639f575a4d1761a7d7b3c
SHA1 3380dac84625e042181f6cfd3439f9fbc4274abb
SHA256 fbbbf4f40cdcf987f9ba0fd8175db55a9f15fde79478cf1c3114c5c9f63caeb9
SHA512 5419f5c44a65612cf455c83d9267853bf3c7c3d9d51d8719ee18d6fb2fbbbf89b15fd609cdc4388cb9e7a21ab17b82c3db7212bdde4c2f3ed43f73b1e841d51c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bd9261160cddfe83c1a12f98c5f2dacf
SHA1 f13a66ed271f8961e3f82659ca66ee66fdcef353
SHA256 fdbeccfe3ce5870612fa3cb7e197e93ee9587cd807088317a8450472430dc8b4
SHA512 710a65b5eb9225965da1f084f183ea537d5e29fb7ac628312035d0d293d1f234a7ab2c92b59c6161c3bf0352fbb3e2f0637fe2549e5e2b707cc466e74919bfef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4e25a7b2fc051bce882ae2da25d95475
SHA1 1dfec78a1e36923dad436dcaf977dae83a663f1c
SHA256 956a45c48aa8ba19aa17f78048de893a769c4be27c95d5ecea17c97a5b9d4cc3
SHA512 02ff8cd3e787563ed9f130598125c89f82eb4c99bf97fc5a3e66f2c7e67b2b308749b8679a9e18d22af38bbfa35013e3561a12c361685c41b59a0ad7e1bb1957

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 364777079b9e3d0a9ee158f8608890b7
SHA1 cb133187b151d1c8d75b34e96ac0864c488919aa
SHA256 c530801d05a9df3e0f42247d5d3c62b422cede2c6013f00c4f8a7e8a8baaf01a
SHA512 91c3e182cef2a67bc2b016b811108f9d3132eee1b691d7beaca02192b0da0d2460e5223b3448ad5216458d945de4552a2334fc790ff6b04d56a5eab7e6b8679a

C:\Program Files (x86)\Steam\config\config.vdf

MD5 c882df34ef59ea49801480f4af2278fc
SHA1 2b7c3b9b817ebd063091e63a5471f483717e21a2
SHA256 da1d09bd61125360cc0d734c8cc51b6f0489d3630cced8fc02efdf0d0522fc66
SHA512 8b443ec917a949639251abb6b32c9a9e045fb24f5fe24816697d77c0d35c2dfd6420722ab8d4a26ccc94ad6b61977b451dfdf11b8bdf9427d0c49e347ee08f37

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 16a5bf652e003f14e125d33ca714f00a
SHA1 5e118f434fb2f48832209e77583c95edc2eccedf
SHA256 51c13dc45e4f77f8d335ffeb9e99696ee9f2ec0fafde6990eeb54195a1a1ed55
SHA512 bdf65063c3c9f8e98d9c4e4b67b04ac595dd19d8088e3865128515f04e3023421b18faf0a62bc01ea540f3ba9658f3bc899ff3aba537bc3c2584dfb390132ae0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 af3aa91b6b4df1b97aec2c68037ea2fb
SHA1 ddfc894e9b2d3246685adaa755d1fbfe553b375d
SHA256 3b19eb9f8ab8d518d3be9e573b48a8be50d7f6de3dc86ec6b24691b3a2b7cd99
SHA512 eeedbe68d66509817fa1513468fe5147aa949ae1931966afc0b845b61d3be6c9ecd8e2d3018dec1eac9c224d266d707543e17c614709a046839e82e86d953b71

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 afa3ad8b67ceeffa71731284b01a56f1
SHA1 995f05e71cf2c99523e2556fe722c0ced07415f2
SHA256 bf5efa929e63b1970fd713d34c70ef1491486939667788e3f5476735c5f246e0
SHA512 010aab995b497260cf9bcfa2245e643f92fd2f4ad11dbbca6e19066f645afc3fc86a6e05fdadab948076500280666a3345e77f9a4e999daed60c9b6235a953bd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 671b4295492750153500b22a8aa9e8b5
SHA1 804d36a3b6c5cd264c3b11072c8d9083041af990
SHA256 8c9d25c42013e4524e047c6e432647a475a61d96b18dbcc07e9920d0e141010b
SHA512 ed15f6840f228f49866dc8bdc197395d575a53cd672152e8c5bd94cbdd7efbd0f4cc20fb6e89c31946ea3770e357b4a69a0ba4efdd5d9673695287f95b2dcc2b

C:\Program Files (x86)\Steam\config\config.vdf

MD5 a01a4a674c3e410629c85d242e944775
SHA1 a620757cfb705700bde3373d589b07c53c9b2726
SHA256 e2741f305eb40e8da1f208b533c2e3ec7ffdbd9fdac092174392b434647cfd9c
SHA512 a6c6a0ceeee1f6b47a3699f9787bac65f6696c3f9e24a7668ac54f178992dd4e9dfa3c8f7c7f130f2374562860daea70b1760cfb2a3901a8146a09de0d8345e1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5439f946986488333cec9892a40e9fae
SHA1 8262ce74543bac751e9e68c9ccb6a186624268b2
SHA256 0456fe7f8d4099a35478d4e5c60d4d72238ace4bcfa0cd5834bf06a86a3d9dca
SHA512 b21f791e9eb003f757273ed190abc0a208b9ed69e1df266cc63d77457939cd85044ede196bb6103ad3c481dbef80d20b3d9ab25935b3d8d6fd550fba722dbe4b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b152ade83d2244fae1fe86220ffc800d
SHA1 9eaa662371a520e23f07dcd0bdc1cb343dce4c88
SHA256 c4b87692d6a356d05e6698d0cd87eff819d044bcf38b61330f054da392ec3a16
SHA512 d96f1c940d5b26148b8d9b4ddf8503fef62eb8717b39a5abde11d5e9587c8f96e3d9afbd02cff625b89079f52bbd9bd4e680711cc299f094ba09ef19327ba828

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 cae0dca23717c6d0a7cd83574b4fa796
SHA1 7ed65426bd09c8aa8d5b0f837ee8340900de876e
SHA256 dcb8033efbadd317abe17ff5ea4603dc4fdbe7d5bbb81f071433ec5dde8241fb
SHA512 ae5f76ae5236ffbe8d7b4243ee203e336692708fd42be10793453fcc0088f67c2f436840cec1fc39b84661a57470f9473fecc96985afe7914c934fba74a5940b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bb568112d8a6f8b2433ea0fe6569677a
SHA1 11e26d561e1745b27a6f6d12a253cf0b0404336a
SHA256 b4e953f8d3b19e4aa5e9039dc994a19cce39fd013024cb68bcf1492da147420d
SHA512 457e21a49c019832dd2c4e4529fe93c20cb24210c32ea94f0760456437e46f975126f156aec49bdbf17628f84aede5c065bb9987785efda679d7b911fb3e4f0b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c2dba38af61dea6998c1a852e21954cc
SHA1 7e85c0c961dfe4eccc52ef6bf1036116fd9b8026
SHA256 6754ec2b3902aebbcd501aba5cf8f503f1cc760cbd2d4a1aba3ac4030acb45d1
SHA512 d5fe16a852e8133676694e0edcd9bb4be396d502d4d8c38962e8083e21720091685c902a30de813223da0fbba67305f3178be55d4e3436a1a977053c7b887bc3

C:\Program Files (x86)\Steam\config\config.vdf

MD5 5bec5b54402b8711dbe50eeb8331b175
SHA1 5b8be5f05cd871c407209deeba771c4a5da13fc5
SHA256 4bbe09a41ddf48af92c4a6d3b9079f214197008a8e14e4e597b3ea3ae50c93b7
SHA512 c59c4637f704dd2d55ade1f6e459cd3be28a42cea24d5900d2a2d568c828de061e617d0bb4aa4eb130ca38b30871506d036327ce31bec61989d7d1e216658e13

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0f7e4eb4eeeb53b60bcfa2208bbc6bf3
SHA1 631bd9ee1efa5e5037df769e0ef0ebb5be5548a1
SHA256 f66192405ff5ad8a6468021494cbd8271b5ce321ea54d59014290d376cfbeb08
SHA512 b1fc6d9bc67f77cd220007553f54ba35f40246f9e2cd3feeded0ee28fd84545418cd504fff9ee06f16409ec1e8f370634c7122d4aedc52c3e3a51c101ce31d33

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 597feda603d1ca02cc776531bcce7fdf
SHA1 cf12b3f19c4990d3aaf6567028c633feadbe74e0
SHA256 2349aabb439c5a88a52152f78b8df33edc491fc4a9878e6e8eadb17003182526
SHA512 9ab531df508df511df54d67003736118069830ffe61890dc6bb13c62bec0d1f0497a8360cadebd4669fd41003d816d9dbf20c5f12b7265db83bc9e7f787b00ff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 03063808203ff2847d633d76a662926d
SHA1 430f05f0148f26c83bd68f903f20da33b00dcec2
SHA256 14fc7351a075c89e1e95fafb4b6bb33d6701b47004fe38af2e200199db96a9a3
SHA512 c2ae6df8080864a6ea5371b51efc7531fed79a36a2be65e10285295d0b39ef7ffd71f1bf90ab16fca4308db7c3e448201a91acd2cce2ff2be4d3b6e331b3bfce

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2610200cacd5e8c281a44ace28a2ca91
SHA1 6436f7a31a37030f205ae25fd1adbdbba0cb6de2
SHA256 77a8d0c46a9c6efd53416c3b14671d263c528b9b2aac2130aedf4111c7dccb3b
SHA512 2c40064a047e0c182ce496c2138a5e70ec19a6b4e2de34fa2313edc80e7c332d75400a073566164e41a36c526b77b2d3effa92143b55672387e4dc6cf48bc02f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ecaf1595ffaf729748dae5681a0da3de
SHA1 566520b0922e525705da956352a8bc5aa1932073
SHA256 8ce3b345c11699f01353fa711a4a86bad45fb3115d05d422b85867f480fff992
SHA512 3b0141912505d69fd9304d75197a681fe4b71f15cf50e11d52bb7b2327444e9bb3094d98bddc10271576eeca430c2cefb05f0c06e172ddf408dd8f608a9baef2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 385e035c432d3bcb3c81815333848d45
SHA1 96a3d8624f50c132d8b8fa3ac41739d35a1dd3d0
SHA256 c27436a707687ccebd3266e12e65dcfd0365f1e3eef9bb886b15d20237bc03ce
SHA512 d4439d2d638dbac3d1fb9ce82866e9cfc8aec57844a57bb5faf656719c6a765b86d4476411df9a74a8193f6e61756f9adc3b177ad210b9b173922db721574a1b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3f2c08f9f4b1870e265b7f3565a687ef
SHA1 55d46ab07ffdcf7a482ea0db75b3ae51fd1c0f63
SHA256 a57ab3b3e921128e2000388b968b53a640377ff1dcba41fdd62b4473a2204af5
SHA512 8502b4bf600721ba2070a9ff494d51df7e26c8c951c75e41c8e13f9d26457138f04471f41fd3fa5481c78652a2e522979e36e8911230d523c2177df78b55c57c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 cae114fbf3856e511aeead37d0c4caa8
SHA1 2d67d52f6fd88450cd11d8d2d037f8868d47fd83
SHA256 f354b32f5bea1789806888ca594ba4a360617267d093c3853761230de53d8d0c
SHA512 78b1e05b6253de85461e21ab8f98d85aca2a387297e8a1724a8a40a888e8b6961500d8e91c3037dabc23bb7d19f80ee2e7f004378e14b4d7533596c359d5bfc6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d5b2dbd08ddbc9a49fe900a79e62755e
SHA1 1767e4f4374088b224a121daa22b22381f1217c4
SHA256 13e48a65a0581dd631333fc5468069a3de4beec27e4e43233141070136eaa1ed
SHA512 722eca16c8a934378a7f085af8636d8acc3dc22b3bfc1bdf30b1308a7d7e9aa8fbfd4050a0cbcbd0d63996722a96020ac446946c69a3d3b1f6268459b379db85

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 791d38806abfc6d4213a3c1522d9668c
SHA1 ed61b4ea631144e4328a4c2dfde8a97c02fd11fa
SHA256 e5965fe92affb32f0445f6f15fcccda5927785c25bccd2109c2c98e5a01149d6
SHA512 73f215d7ce5c8f9e55ba86aaf94533fbcf8bd53cf08ded181e5b8fa815a470156698d0b079acf9c6b6a1ec78e6149d2c98f575a33c0060e1639ec4fcb392ba28

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ceebc258173205888bcb93775e4a1d58
SHA1 4d21d0f4d92aef91448bec0680a5bb4daf9d1c8c
SHA256 e3c6e46f8e02ab26799367147cbeb9b57f78133951b32fbe5ee1e3174b86ede0
SHA512 52fa9569ee7fa96a54462a1136ab675bf287a2374108c5c9ef29cf1fb5d1cfa5ec496e201a7523dd591148e44842ca7f1ad03ea8b9d0d38b181b91a0e01fd82f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 cd509ae902947d21106b1cb7aec293bf
SHA1 17bd619552ddbb9c81e3dfac8ffd7e501526b19e
SHA256 2f224bc684610b2ab1d4d9e9e1d67b6d6fbcb1c7e49e70dfd65ae8ab609ad22d
SHA512 fd02cae6c410c311618ce322afeea2c1300502528fcbf7b31805062e32581f7d1e565ca331df3be96fa439a0c97516b802acc3197aadd3a519b94121024cbff9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 db3cff168dbe4559888b749fa0227a6f
SHA1 dcee06fcdaa7fb64cf823c96d88a0883a969f557
SHA256 87e15a336a64b4dae26a2cf6b1b5d46b92a946624195405e05952c355fe49a85
SHA512 6001e2ac29a02ffbe2f1efb25afc00db426408eb3c4703cc6c839f6662dd1a789e0f26995fa14009fd3d4dc26ccee8eee7050b81f44cb45d7e3c057f7015e00c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4a06cb6fdaa64b02024f1f0fab2a407b
SHA1 7b855b614b0b7cf015adb0af39ee4ec080be5952
SHA256 2afe74da803e0f340575a69235857d9824108afb4859337c4e249bf25ff57b9d
SHA512 ac52d6eb576c698ef83583894c62304323d04d7a1c7c469b8cd8bec1ada1ff4876f72c8dac87c188502d1f3c8be2cbf74aeae2027dfc0739cfeed740bc6d9cad

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 528977a7ff77246f7a1f1c85f2ff74dc
SHA1 9c40c9c7f49df408b37b3d33b76dcf7c0fdbbdca
SHA256 cbd4008dbcccdcd80eac090c8cb4ef4913b0909ba544a977089c8f9fe97d7709
SHA512 943d82a8f9686f0fd4f0a45aa52cd5307d6e67a50adcd24d18475f39267ddf38218d62f0b38fc8d74f40bf48451e8c9d74cfa036e7f7abf47a947a3217a679bd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ff18f74f41a2139622065559fc68c3d6
SHA1 f2e00f9d2e239b16296913c1578e65d12b1ebd88
SHA256 5067730fa589afbfe5d499896fcba96e92e41548f03c0484a36b2c227d0f6e23
SHA512 b256ab85f538899abe84ba371b86f00e85993c54cffd0beb6f9701c84d381ed1bd1a5946ccc2eacd374036f8df5d9349fd3b7e04ed684651d596019a673346b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 72112b25a3389ecb505361e1a6ef4aa3
SHA1 ec63f30a2918f5b627af794a557f79b9aa3e7965
SHA256 2eb13af892b029f8e5941c90c37dd26a33676fc1c9652b367f72f085b5d7ae52
SHA512 2e11d4e844537e922c8e48a99ae956b1651bab3a2e706d493f24b89afb9f7b2beec38af39fd7bea1396b94f59b5634114086cd1c9b44596ac0d2eda8b859bfe1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4e7d7c5f45991fae2018d3b1061efc52
SHA1 4548feb47674102715a40ddf14555e3186c90815
SHA256 4ca900ccf9cf668a4ee624b045575ca8b911bd454e17ccb30edd9387731ae068
SHA512 25ca034c22e6b913565df786766380ef9029cdcf36c3bb95f5804b3bc3eb40f2884d61aea10f4c1dcb6e13a9503e7e2aeb13f2315eb90bd022a7dc95d8c8ade4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c121e1eec8896fd4cf440d094aec390b
SHA1 695f2b9f3d09b2ccff6f57ebd52ceb62be6a141f
SHA256 9712a0dbfefa9de8f5dac7b6db84ec589b8622cdd1f96261c73c6b0c08f9eb5f
SHA512 01d3a7b11d240b13c56990ab2332d758fb4fe1548dce72b6f8d2754d4db2ade94fc90c4ab608a724ae5a63cef237cdcafad395255e0d0e8dd01e4ebe6c4baac5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f0af6a95d74c3e86b0d73b95805b3cfd
SHA1 3d20d11c221249b9d69e46d613f90f7083a1d4cc
SHA256 2dd48a2aa26ac51545dc21f92c41eac33089800ebd440e8d20424f4b1ba8f1be
SHA512 16d289ac3a3d6d532a87504a07b2f493ba16546c47d607e6c9e99dfb1eb3264c4726c116dc51a0dd6f667d8876fad728d7877de4a667246f8f8402482f5e4588

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1d1396057fd276ad22ad434a5946aab7
SHA1 00a8cb32fe93e268b1929cf9cfc6f86848fb0cbf
SHA256 2f84c54e018b8cd4af8c5cf3f41d62bbca3f137fb7eb03555675b02106075f53
SHA512 f9824c5735202009a26d134993e8fe480c839ea4b36f3e2bbc14e15b1d1438ae91fee77f3203e2f886bcb6bbac35d9ca6ec441d52ce7633631ad800a31f79758

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a7e25ae4-2f38-4693-94ba-8482414db6f5.tmp

MD5 38e18d54c19a2c25123d1bd9d84978ce
SHA1 c158930fa2676a7d82707be34df79d345d133bae
SHA256 e6cc050218eca8039c9bd5a219bad30ca915a763cdb4ad61ebcda997dcdb584a
SHA512 3b8fd9da654b67c89fef85db44be55e070b7ff288614de83b353fcc114d32183046ec2141d09ed65a5f575b39888898f3ad412bc5dc9ac171f55d49328504f9c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 80adc62efc7a682912b0eae8d7e9fcb6
SHA1 76adb17a24290336a9fbc8e5ecd11650e5b4a026
SHA256 76e54dff6eba052fbc1bbec98ebf70ce2a101123e3a708b056a17e90ed5886f6
SHA512 932ec08608bbd28f6650183a5ba855a329f37acfcf8a5ec5daa0d557b581712cd404c2267dbfcaa432f7539aa29fe3b1b67474aedb9509e20e20a83137ce4dc3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c46b4122ba855cb99422d5ddf9c66c0f
SHA1 f97fb462076fcc44e5dfc37901e84ff2c6bfaca3
SHA256 3f3768c2c6b51d8eda230d739b4dd3533ab59fac02e55909115256b14fb922f4
SHA512 16e2fcc54df148856149bf5f6fc503ba07ed14af552e27b9307f3312738ea70f8aa878afeca0025353d4d5caa5e08790f8722835c4b2e5942c8311b7c57ef739

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 60d190dc9911097a4eaea22a1b788d7f
SHA1 65a94107c2abcde926a919e28bd6876ac02ae3a5
SHA256 abbf560421178663404100ac2100ba5f1407b44032cd4ee120a8c5597ec6cc16
SHA512 99e388277885c2ccd3ca5da8bc1f17b99bcf749dbcb87b36489f39f6c753d3e5532b34f74d4b8a20552c82dafac4f462c397e9a4369e362df7a2c855d221e249

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6f433ba9f91b219491639d3fe686257b
SHA1 fe60c26f8c684dee7517bcb9d27ea242998ac625
SHA256 96fd2a58696d97647a7a52df0e1d9d2475b9c30f6d5edf7320f79f62b11d53c1
SHA512 df5071e7fd9b928bd8bcda77005321ddc8cebab6c5072f6dcdff8d77df6c71b11b1e4bc21438cfaeadc120b093d7346bcabe04e8c16f099d6b2bfcc569e64bfc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 443cb2510deb8cc9932d3bf4197f6e2a
SHA1 f6effc987cf5a3aa29ce3696b097fe5c8a989702
SHA256 a43127700689cf1538a82a555164d7dba4d0d711e222b0ff132e787a6eff8bc6
SHA512 5b7e3f4d4e82d7b321b2cbbd8d7878bf4d3503caa696234c2135fd9a0a8c1345a00b9ba563c1330faf2f06765e6bbff712ce3a70d936deb35154b001785e4478

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 220bd6d8a9f1d4b01052bcf557ee0223
SHA1 0b2873ab9036275fef755b0580e0c071a1e93326
SHA256 f85c43391c31d216a6e193693f3b4d4f3beaf816239686b095732c5285801e61
SHA512 ace8eab518415f4846e91448ece2f6884f6a1379e1b69eb4e09af01079bc441f2f4f61fb5a7384007bda443426a6518b32c7a4112bc2837abfd74fc6afbdf2d8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e5b84b6ffbd01d4d3e486b9e5b7b180f
SHA1 8234d447cdedeef9bd56fcb199359ccba7f614fa
SHA256 58d561513a378238d81f4423561981fb74978597895d89665417899e87dbda3e
SHA512 d853b487221e9731a500a1f7282b47286f5502f4aa505f2df994e9c5345fb1bae1af58c4b58a35be1cd5e4322e069f4508fc56ca46baf5b9736557a57ce2182a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 41639ee666534688b24deac6468e37fe
SHA1 2a3240dec70a9a7590283944dbaad197e5672479
SHA256 164a62f62855de3e678980c61bec4503ac84daf1d161864e2525acdd8c7d271f
SHA512 2db8cb7fe2661fc37ed43626342fe4f76de4981b1feb2327112554305da8d4895703a841c15310d986f8d5a7c1111fc2df107648f9456b392bd8b138f1b0b98c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5beaff1231e70fca5336d723c6e0d091
SHA1 ce97c8d95953123b586cbcba94511b312f4bdd13
SHA256 6086d41fdfb2d9adba9de03ec314a957f73336b9246feda85eb22e1070586213
SHA512 a4628fa6a8ad1f2c58590afa2a06991431e3e10696f9e8a4c17149653f1129b15cf6fe8ecc75226b02d48c76d2e52fff662f8c666287045ac57e8d5818dadea4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 05076fce1cdc0819a9ec5b4dd71cb293
SHA1 e2b69fd31719797fde85655ec906af8c3190afbb
SHA256 87c433a76c2e426d3564c0b0f66284af86afd94241de67fa0018a87b092a22ac
SHA512 14653eaed418851f3d53d82b40e24f34a02b966c4a4286286afc2dc2de19f81e59dd60a299a0f335b50e0bb868cbfe6c25536a7eb241cbe952f982dda5365ec0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 19f7f128e9b0914dc2611476facc7987
SHA1 a5a44ac5d63011498ee4b81b64de87f7c3ccfec6
SHA256 cdb3cfa89d470b8c551655615fa300613a4d0e021a108e6a074e63a6175f97fc
SHA512 0a90262ac51c6c4cf81f71c4c77f77e9568d0f22306d118cdd4a4edecbd371a0af0d2a05b89f6305c0510715eba15b885a50f9d256bf1870cc87f3ed3763d96f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c63e72a13682014b18ed868b62bb8691
SHA1 796beed2b7954b6f914044668f6bdc10ca61f78c
SHA256 af67d0a0e9773008d68902a34f4ac5e4d3d54c579497f6d8a427facefa17161e
SHA512 a18a52270891650650441d2aec9379f4cb64060e62a2a42a265bf769c2dc9c00db98fd669615a0c6adb34f6c25bd705ca8739e1e510f93f562efd48fee3d67a5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 370aab3267d41c63d393640e2d52420b
SHA1 dba88e81b710d3977fc9fd24ea81509f09b22528
SHA256 ab31ec212c3bca6ec0f4e464616bf7330324e45c4ac42436fd5082a7f381ed89
SHA512 8de234c9102cde2bff50f3e1751335944792a76f99ca25c186e38eca0b9be3f5fc34a7dde7b3fa6f8fa45a1d9432a140bd80130c218bc04caf63d3fd1d1f89d3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 73440e53bddac345b8d9be71d0868930
SHA1 be137320c6386967173abc1b19c06697412ac905
SHA256 3addc0c59a217ceb57ca69f674aed14d3b82031930e6ada9417ed1b0c79380e2
SHA512 f6848fab07d98b6d210f60369359cd06d6b3f2746a189896af12bc41d09be056dec5918c8b0715f98980eebd0acf02463e270d2783b640a232e9462df658d8af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6aca176b3b19e71d2975eee62b923ff4
SHA1 4fd633706cb72f6726c27d71486c53ada89a0f5d
SHA256 ebfb7bac7b5f9adcf19f97fbacc40c035b1f5fa071487c4b4503450079779cd5
SHA512 7c8742c574ab85a0f5655f80422f8ac23ad5a489e9039ac3fa76398999a73b3d8ca2942fdc12e77d9c92b0aef7df14f40ac97892930fe1c8b212545115e25a8e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1ba106068471154cc7f659cf58a8cf81
SHA1 8e9ff13e507c3c24d18094d82aa2fb18522aa808
SHA256 0ecbad4446ea7e70c8df2da4c2e1214580385e17fb1c945e0301c34eee624c69
SHA512 c5eb38e5fbec6a415d6d8cc68b8b16269d4f0e27f98ad483862d33bdb1ecaa3f55162f06f5eb91b713a160243232d07704140dfd62fa5169ae03298523ac5954

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8b3f274fecdea63f6ea2e24e37878640
SHA1 f83ec7bfeb7e75aab3349e8285735cc994602da4
SHA256 f5cae31883226c8202deca1b3a7289d7913569ab0958bb6b795b11a69062f57f
SHA512 943473991f388b233d3dc0d2775af5c66b47e42c4c1dc3d6a571738b4a6ed301c9768f6c76150118b4828245eca09159ba02258f532ad36a61d4dbc9ec82673e

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:35

Platform

win11-20241007-en

Max time kernel

1797s

Max time network

1494s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_x86.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_x86.exe"

\??\c:\1bd0bec39972b19d6bfc30eb\Setup.exe

c:\1bd0bec39972b19d6bfc30eb\Setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\1bd0bec39972b19d6bfc30eb\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

\??\c:\1bd0bec39972b19d6bfc30eb\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

\??\c:\1bd0bec39972b19d6bfc30eb\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

\??\c:\1bd0bec39972b19d6bfc30eb\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\Users\Admin\AppData\Local\Temp\Setup_20241106_090458509.html

MD5 b83b7d0196094cd91dc0b0081d3711ba
SHA1 cd4e7b92f985d0077940c4b985a81b804939f0b2
SHA256 b8ade83dea0111b400bb6f1d29b4ab3c1df03a8b33cd95bb4c605650151b198b
SHA512 d70ddb8d34df2eb19062a16098d94ddc70f1674583c5175329e3a1dab49e2c0d9075900d6cbccfa2f1546327288c94b17f80283bdb9f78359b612a0be2908309

\??\c:\1bd0bec39972b19d6bfc30eb\UiInfo.xml

MD5 812f8d2e53f076366fa3a214bb4cf558
SHA1 35ae734cfb99bb139906b5f4e8efbf950762f6f0
SHA256 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283
SHA512 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

\??\c:\1bd0bec39972b19d6bfc30eb\ParameterInfo.xml

MD5 66590f13f4c9ba563a9180bdf25a5b80
SHA1 d6d9146faeec7824b8a09dd6978e5921cc151906
SHA256 bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f
SHA512 aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3

\??\c:\1bd0bec39972b19d6bfc30eb\1028\LocalizedData.xml

MD5 7fc06a77d9aafca9fb19fafa0f919100
SHA1 e565740e7d582cd73f8d3b12de2f4579ff18bb41
SHA256 a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a
SHA512 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

\??\c:\1bd0bec39972b19d6bfc30eb\1033\LocalizedData.xml

MD5 d642e322d1e8b739510ca540f8e779f9
SHA1 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c
SHA256 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9
SHA512 e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

\??\c:\1bd0bec39972b19d6bfc30eb\1031\LocalizedData.xml

MD5 b83c3803712e61811c438f6e98790369
SHA1 61a0bc59388786ced045acd82621bee8578cae5a
SHA256 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6
SHA512 e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

\??\c:\1bd0bec39972b19d6bfc30eb\1036\LocalizedData.xml

MD5 e382abc19294f779d2833287242e7bc6
SHA1 1ceae32d6b24a3832f9244f5791382865b668a72
SHA256 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf
SHA512 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

\??\c:\1bd0bec39972b19d6bfc30eb\1040\LocalizedData.xml

MD5 0af948fe4142e34092f9dd47a4b8c275
SHA1 b3d6dd5c126280398d9055f90e2c2c26dbae4eaa
SHA256 c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248
SHA512 d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

\??\c:\1bd0bec39972b19d6bfc30eb\1041\LocalizedData.xml

MD5 7fcfbc308b0c42dcbd8365ba62bada05
SHA1 18a0f0e89b36818c94de0ad795cc593d0e3e29a9
SHA256 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2
SHA512 cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

\??\c:\1bd0bec39972b19d6bfc30eb\1042\LocalizedData.xml

MD5 71dfd70ae141f1d5c1366cb661b354b2
SHA1 c4b22590e6f6dd5d39e5158b831ae217ce17a776
SHA256 cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331
SHA512 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

\??\c:\1bd0bec39972b19d6bfc30eb\1049\LocalizedData.xml

MD5 0eeb554d0b9f9fcdb22401e2532e9cd0
SHA1 08799520b72a1ef92ac5b94a33509d1eddf6caf8
SHA256 beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c
SHA512 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

\??\c:\1bd0bec39972b19d6bfc30eb\3082\LocalizedData.xml

MD5 5397a12d466d55d566b4209e0e4f92d3
SHA1 fcffd8961fb487995543fc173521fdf5df6e243b
SHA256 f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89
SHA512 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

\??\c:\1bd0bec39972b19d6bfc30eb\2052\LocalizedData.xml

MD5 52b1dc12ce4153aa759fb3bbe04d01fc
SHA1 bf21f8591c473d1fce68a9faf1e5942f486f6eba
SHA256 d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3
SHA512 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

\??\c:\1bd0bec39972b19d6bfc30eb\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

\??\c:\1bd0bec39972b19d6bfc30eb\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\1bd0bec39972b19d6bfc30eb\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

\??\c:\1bd0bec39972b19d6bfc30eb\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

memory/2168-97-0x0000000002E50000-0x0000000002E51000-memory.dmp

\??\c:\1bd0bec39972b19d6bfc30eb\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

\??\c:\1bd0bec39972b19d6bfc30eb\graphics\stop.ico

MD5 5dfa8d3abcf4962d9ec41cfc7c0f75e3
SHA1 4196b0878c6c66b6fa260ab765a0e79f7aec0d24
SHA256 b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793
SHA512 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

\??\c:\1bd0bec39972b19d6bfc30eb\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

\??\c:\1bd0bec39972b19d6bfc30eb\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

memory/2168-102-0x0000000002E50000-0x0000000002E51000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:35

Platform

win11-20241007-en

Max time kernel

1467s

Max time network

1492s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_x64.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\d1be4c58693ed0466e86\Setup.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\d1be4c58693ed0466e86\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\d1be4c58693ed0466e86\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\d1be4c58693ed0466e86\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_x64.exe"

\??\c:\d1be4c58693ed0466e86\Setup.exe

c:\d1be4c58693ed0466e86\Setup.exe

Network

Country Destination Domain Proto
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\d1be4c58693ed0466e86\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

\??\c:\d1be4c58693ed0466e86\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

C:\d1be4c58693ed0466e86\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

\??\c:\d1be4c58693ed0466e86\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\Users\Admin\AppData\Local\Temp\HFI8619.tmp.html

MD5 7eb5b3f8c2ef12b0b3e97223cf378432
SHA1 2f600b54fc828253d7fda828fe79892c05abd66f
SHA256 eb346fb7bcd69ea4589aa095fb1725a08ac360f4ece6feb81f8f5c1c50e8f066
SHA512 169d4898e04b75ba790de8075f523ee6e8c178655851d4f42e5452e624c2a562c1155fce707e71476b4abafdd0ceec2308720ecdd370363a50bb682e9250f232

\??\c:\d1be4c58693ed0466e86\UiInfo.xml

MD5 812f8d2e53f076366fa3a214bb4cf558
SHA1 35ae734cfb99bb139906b5f4e8efbf950762f6f0
SHA256 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283
SHA512 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

\??\c:\d1be4c58693ed0466e86\ParameterInfo.xml

MD5 03e01a43300d94a371458e14d5e41781
SHA1 c5ac3cd50fae588ff1c258edae864040a200653c
SHA256 19de712560e5a25c5d67348996e7d4f95e8e3db6843086f52cb7209f2098200a
SHA512 e271d52264ff979ae429a4053c945d7e7288f41e9fc6c64309f0ab805cec166c825c2273073c4ef9ca5ab33f00802457b17df103a06cbc35c54642d146571bbb

\??\c:\d1be4c58693ed0466e86\1033\LocalizedData.xml

MD5 5486ff60b072102ee3231fd743b290a1
SHA1 d8d8a1d6bf6adf1095158b3c9b0a296a037632d0
SHA256 5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706
SHA512 ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472

\??\c:\d1be4c58693ed0466e86\1028\LocalizedData.xml

MD5 12df3535e4c4ef95a8cb03fd509b5874
SHA1 90b1f87ba02c1c89c159ebf0e1e700892b85dc39
SHA256 1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119
SHA512 c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808

\??\c:\d1be4c58693ed0466e86\1031\LocalizedData.xml

MD5 b13ff959adc5c3e9c4ba4c4a76244464
SHA1 4df793626f41b92a5bc7c54757658ce30fdaeeb1
SHA256 44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b
SHA512 de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6

\??\c:\d1be4c58693ed0466e86\1036\LocalizedData.xml

MD5 4ce519f7e9754ec03768edeedaeed926
SHA1 213ae458992bf2c5a255991441653c5141f41b89
SHA256 bc4ca5ad609f0dd961263715e1f824524c43e73b744e55f90c703b759cae4d31
SHA512 8f2ff08a234d8e2e6ba85de3cd1c19a0b372d9fca4ff0fc1bba7fe7c5a165e933e2af5f93fc587e9230a066b70fb55d9f58256db509cc95a3b31d349f860f510

\??\c:\d1be4c58693ed0466e86\1040\LocalizedData.xml

MD5 fe6b23186c2d77f7612bf7b1018a9b2a
SHA1 1528ec7633e998f040d2d4c37ac8a7dc87f99817
SHA256 03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a
SHA512 40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649

\??\c:\d1be4c58693ed0466e86\1041\LocalizedData.xml

MD5 6f86b79dbf15e810331df2ca77f1043a
SHA1 875ed8498c21f396cc96b638911c23858ece5b88
SHA256 f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f
SHA512 ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818

\??\c:\d1be4c58693ed0466e86\1042\LocalizedData.xml

MD5 e87ad0b3bf73f3e76500f28e195f7dc0
SHA1 716b842f6fbf6c68dc9c4e599c8182bfbb1354dc
SHA256 43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070
SHA512 d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c

\??\c:\d1be4c58693ed0466e86\1049\LocalizedData.xml

MD5 1290be72ed991a3a800a6b2a124073b2
SHA1 dac09f9f2ccb3b273893b653f822e3dfc556d498
SHA256 6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c
SHA512 c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217

\??\c:\d1be4c58693ed0466e86\2052\LocalizedData.xml

MD5 150b5c3d1b452dccbe8f1313fda1b18c
SHA1 7128b6b9e84d69c415808f1d325dd969b17914cc
SHA256 6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2
SHA512 a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949

\??\c:\d1be4c58693ed0466e86\3082\LocalizedData.xml

MD5 05a95593c61c744759e52caf5e13502e
SHA1 0054833d8a7a395a832e4c188c4d012301dd4090
SHA256 1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1
SHA512 00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3

\??\c:\d1be4c58693ed0466e86\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

\??\c:\d1be4c58693ed0466e86\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\d1be4c58693ed0466e86\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

\??\c:\d1be4c58693ed0466e86\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

memory/4080-97-0x0000000002E60000-0x0000000002E61000-memory.dmp

\??\c:\d1be4c58693ed0466e86\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

\??\c:\d1be4c58693ed0466e86\graphics\stop.ico

MD5 5dfa8d3abcf4962d9ec41cfc7c0f75e3
SHA1 4196b0878c6c66b6fa260ab765a0e79f7aec0d24
SHA256 b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793
SHA512 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

\??\c:\d1be4c58693ed0466e86\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

\??\c:\d1be4c58693ed0466e86\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1467s

Max time network

1498s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\force_steamid.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 3856 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\force_steamid.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\force_steamid.txt

Network

Country Destination Domain Proto
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1474s

Max time network

1490s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe"

Signatures

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe N/A
File created C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpAA6B.tmp C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpAA7B.tmp C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp923D.tmp C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp923E.tmp C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe N/A
File created C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe N/A
File created C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenAL\oalinst.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe N/A
File opened for modification C:\Program Files (x86)\OpenAL\oalinst.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\oalinst.exe"

Network

Country Destination Domain Proto
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\tmpAA7B.tmp

MD5 694f54bd227916b89fc3eb1db53f0685
SHA1 21fdc367291bbef14dac27925cae698d3928eead
SHA256 b8f39714d41e009f75efb183c37100f2cbabb71784bbd243be881ac5b42d86fd
SHA512 55bc0de75a7f27f11eb8f4ee8c9934dfe1acd044d8b7b2151c506bdcbead3ab179df7023f699c9139c77541bbc4b1c0657e93c34a6bc4309b665c6cb7636a7e5

C:\Windows\SysWOW64\OpenAL32.dll

MD5 235355a8dd26903e75d5e812ecf50e53
SHA1 8316319341a0f9054e19e4a7b21df3dc49386fee
SHA256 1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd
SHA512 5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac

C:\Windows\SysWOW64\wrap_oal.new

MD5 d494267bc169604fac5e3679b9a97fed
SHA1 c093ce5a4f7dc40f7f604945bd1facfb2c805c4b
SHA256 a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f
SHA512 7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

C:\Windows\System32\OpenAL32.new

MD5 2ad7b4f3c8d2bb686d231edff404b7a4
SHA1 f29676b96d04bd2765925a3834d9babfdce6a0b3
SHA256 87802322c8e63555c26fe473ce234ce7099745ccb28c02766c2224c726454039
SHA512 51a6c8cfe30e34c37437e6c5f8c602aa0759b65559a82521e2dbcf8a9865b826077854acb6497df6085d67b4c66083ae5f0f192b743a4b6f77ce7b18f01bf528

C:\Windows\System32\wrap_oal.new

MD5 549347bcd4aacd63243d78e8f869dbb1
SHA1 efc00d2a7c5acfe17b8a58023826e6840aef39a6
SHA256 5379373cf3eff41cdd8c912c65e27e1bd492bd84238d19a093aa846c9b1ce909
SHA512 c6789376d05deb8c5050225c37c023055c107a72b49afddfd3f91e7e7429d38db9346e2e5d38986c2000c3828389cfbe5d74d80423a79eebd0367bcc81137cd5

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1358s

Max time network

1159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_2015-2019_x64.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{DE82871D-8CA9-42CA-BF4F-4DE1CE8D40CB}\.cr\vcredist_2015-2019_x64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{DE82871D-8CA9-42CA-BF4F-4DE1CE8D40CB}\.cr\vcredist_2015-2019_x64.exe N/A

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_2015-2019_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{DE82871D-8CA9-42CA-BF4F-4DE1CE8D40CB}\.cr\vcredist_2015-2019_x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_2015-2019_x64.exe

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_2015-2019_x64.exe"

C:\Windows\Temp\{DE82871D-8CA9-42CA-BF4F-4DE1CE8D40CB}\.cr\vcredist_2015-2019_x64.exe

"C:\Windows\Temp\{DE82871D-8CA9-42CA-BF4F-4DE1CE8D40CB}\.cr\vcredist_2015-2019_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_2015-2019_x64.exe" -burn.filehandle.attached=560 -burn.filehandle.self=556

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Windows\Temp\{DE82871D-8CA9-42CA-BF4F-4DE1CE8D40CB}\.cr\vcredist_2015-2019_x64.exe

MD5 843288fd72a1152b50b4e4b7344bb592
SHA1 648416c53721a85666abaf71c6682fcc1da70b48
SHA256 82c3e3423e48bafcdd726624eb7fd3e00674e50e4b6acdcac408fe8fae43b022
SHA512 04b61bb0a6e748ab78b1037db68bc9ec1745bb3efaca0b8fb6d99e01abbe08a67168cbf3f714b72daf00da26084ec6f6f707c3cd08fa8243023e6924719a4e41

C:\Windows\Temp\{38B81693-3D30-43AE-B086-27734147D4A2}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{38B81693-3D30-43AE-B086-27734147D4A2}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:35

Platform

win11-20241007-en

Max time kernel

1453s

Max time network

1477s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\godotsteam.x86_64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\godotsteam.x86_64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1463s

Max time network

1479s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\steam_appid.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3272 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 3272 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\steam_appid.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\steam_appid.txt

Network

Country Destination Domain Proto
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1494s

Max time network

1502s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\dxwebsetup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\dxwebsetup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET9AAB.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET9AAB.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET9AAA.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET9AAA.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\security\logs\scecomp.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\dxwebsetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\dxwebsetup.exe

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\dxwebsetup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Network

Country Destination Domain Proto
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 eaa6b5ee297982a6a396354814006761
SHA1 780bf9a61c080a335e8712c5544fcbf9c7bdcd72
SHA256 d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee
SHA512 ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

MD5 ad8982eaa02c7ad4d7cdcbc248caa941
SHA1 4ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256 d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA512 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

MD5 0a23038ea472ffc938366ef4099d6635
SHA1 6499d741776dc4a446c22ea11085842155b34176
SHA256 8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a
SHA512 dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

MD5 7672509436485121135c2a0e30b9e9ff
SHA1 f557022a9f42fe1303078093e389f21fb693c959
SHA256 d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea
SHA512 e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241023-en

Max time kernel

1466s

Max time network

1478s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_2015-2019_x86.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{FEC0A75B-EB65-4C87-80EE-D846D11901A9}\.cr\vcredist_2015-2019_x86.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{FEC0A75B-EB65-4C87-80EE-D846D11901A9}\.cr\vcredist_2015-2019_x86.exe N/A

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_2015-2019_x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{FEC0A75B-EB65-4C87-80EE-D846D11901A9}\.cr\vcredist_2015-2019_x86.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_2015-2019_x86.exe

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_2015-2019_x86.exe"

C:\Windows\Temp\{FEC0A75B-EB65-4C87-80EE-D846D11901A9}\.cr\vcredist_2015-2019_x86.exe

"C:\Windows\Temp\{FEC0A75B-EB65-4C87-80EE-D846D11901A9}\.cr\vcredist_2015-2019_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\vcredist_2015-2019_x86.exe" -burn.filehandle.attached=580 -burn.filehandle.self=560

Network

Country Destination Domain Proto
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

C:\Windows\Temp\{FEC0A75B-EB65-4C87-80EE-D846D11901A9}\.cr\vcredist_2015-2019_x86.exe

MD5 2f9d2b6ce54f9095695b53d1aa217c7b
SHA1 3f54934c240f1955301811d2c399728a3e6d1272
SHA256 0009d3f27837c3af3f6fff7973faf07afaa4b53119846f55b6f2a79f1759c757
SHA512 692857f960f26039c7b0af6329e65a71e8588ff71eaac6b956bd6e437994a8d5a470c7e75dd776e0772e473967b64d5ea0e1d8396546691316daf4d6b8ccc237

C:\Windows\Temp\{34AE5D3A-AE48-49BC-B82A-84AA3140C5D8}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{34AE5D3A-AE48-49BC-B82A-84AA3140C5D8}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1389s

Max time network

1156s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Windowkill\STEAMUNLOCKED » Free Steam Games Pre-installed for PC.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Windowkill\STEAMUNLOCKED » Free Steam Games Pre-installed for PC.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:35

Platform

win11-20241007-en

Max time kernel

1461s

Max time network

1493s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_appid.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 396 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 396 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_appid.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_appid.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1455s

Max time network

1475s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\force_language.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3600 wrote to memory of 3772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 3600 wrote to memory of 3772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\force_language.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\force_language.txt

Network

Country Destination Domain Proto
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:35

Platform

win11-20241007-en

Max time kernel

1467s

Max time network

1490s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\discord_game_sdk_binding.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\discord_game_sdk_binding.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1797s

Max time network

1500s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\dotNetFx40_Full_setup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\c3afa77bd1f0f5b476320500\Setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\dotNetFx40_Full_setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\c3afa77bd1f0f5b476320500\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\c3afa77bd1f0f5b476320500\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\c3afa77bd1f0f5b476320500\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\c3afa77bd1f0f5b476320500\Setup.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\c3afa77bd1f0f5b476320500\Setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\c3afa77bd1f0f5b476320500\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\dotNetFx40_Full_setup.exe

"C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\dotNetFx40_Full_setup.exe"

C:\c3afa77bd1f0f5b476320500\Setup.exe

C:\c3afa77bd1f0f5b476320500\\Setup.exe /x86 /x64 /ia64 /web

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\c3afa77bd1f0f5b476320500\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

C:\c3afa77bd1f0f5b476320500\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

C:\c3afa77bd1f0f5b476320500\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

C:\c3afa77bd1f0f5b476320500\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\Users\Admin\AppData\Local\Temp\HFI7FD0.tmp.html

MD5 d3ea98a51e822f916e1f1303d953b513
SHA1 272a978bd66a70a07942eccf51bb0bacf9a08c73
SHA256 0a9b4c4a0b4a1171b3a8e7e04b78a10d11eff5cece4877cb7650bc0fc1c848a3
SHA512 41e91eedfa4302bb2c19ae3d1407029c67062a7492127bcd398d209c513380181fd5ee7892d1bb1cfdd61864b67eabddccd7e78f23773dd7887c4ed6260ba6ae

C:\c3afa77bd1f0f5b476320500\UiInfo.xml

MD5 8b8b0a935dc591799a0c6d52fdc33460
SHA1 ce2748bd469aad6e90b06d98531084d00611fb89
SHA256 57a9ccb84cae42e0d8d1a29cfe170ac3f27bdcae829d979cddfd5e757519b159
SHA512 93009b3045939b65a0c1d25e30a07a772bd73dda518529462f9ce1227a311a4d6fd7595f10b4255cc0b352e09c02026e89300a641492f14df908ad256a3c9d76

C:\c3afa77bd1f0f5b476320500\ParameterInfo.xml

MD5 7213da83e0f0b8ae4fea44ae1cb7f62b
SHA1 f2e3fcc77a1ad4d042253bd2e0010bcb40b68ed3
SHA256 59e67e4fb46e5490eee63d8b725324f1372720ade7345c74c6138c4a76ea73d9
SHA512 86186ab0f2cb38e520dd1284042eced157f96874846eb9061be9cf56b84a1cab5901a4879e105a8b04b336bbc43b03f4bdf198d43af868be188602347db829e0

C:\c3afa77bd1f0f5b476320500\1033\LocalizedData.xml

MD5 326518603d85acd79a6258886fc85456
SHA1 f1cef14bc4671a132225d22a1385936ad9505348
SHA256 665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577
SHA512 f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3

C:\c3afa77bd1f0f5b476320500\3082\LocalizedData.xml

MD5 2d54fe70376db0218e8970b28c1c4518
SHA1 83ee9ac93142751f23d5bb858f7264e27ea2eab0
SHA256 d17c5b638e2a4d43212d21a2052548c8d4909eb6410e30b8a951a292bcdbbedd
SHA512 20c0fb9a046911bc2d702ab321c3992262ac0f80f33ddda5ec2ccafe9ef07611774223369e0dc7cb91c9cda1cbd65c598a7e1c914d6e6ca4b00205a16411be30

C:\c3afa77bd1f0f5b476320500\3076\LocalizedData.xml

MD5 967a6d769d849c5ed66d6f46b0b9c5a4
SHA1 c0ff5f094928b2fa8b61e97639c42782e95cc74f
SHA256 0bc010947bff6ec1ce9899623ccfdffd702eee6d2976f28d9e06cc98a79cf542
SHA512 219b13f1beeb7d690af9d9c7d98904494c878fbe9904f8cb7501b9bb4f48762f9d07c3440efa0546600ff62636ac34cb4b32e270cf90cb47a9e08f9cb473030c

C:\c3afa77bd1f0f5b476320500\2070\LocalizedData.xml

MD5 7fa9926a4bc678e32e5d676c39f8fb97
SHA1 bba4311dd30261a9b625046f8a6ea215516c9213
SHA256 a25ee75c78c24c50440ad7de9929c6a6e1cc0629009dc0d01b90cbac177dd404
SHA512 e06423bc1ea50a566d341dc513828608e9b6611fea81d33fca471a38f6b2b61b556ea07a5dec0830f3e87194975d87f267a5e5e1a2be5e6a86b07c5bb2bddcb6

C:\c3afa77bd1f0f5b476320500\2052\LocalizedData.xml

MD5 10da125eeabcbb45e0a272688b0e2151
SHA1 6c4124ec8ca2d03b5187ba567c922b6c3e5efc93
SHA256 1842f22c6fd4caf6ad217e331b74c6240b19991a82a1a030a6e57b1b8e9fd1ec
SHA512 d968abd74206a280f74bf6947757cca8dd9091b343203e5c2269af2e008d3bb0a17ff600eb961dbf69a93de4960133ade8d606fb9a99402d33b8889f2d0da710

C:\c3afa77bd1f0f5b476320500\1055\LocalizedData.xml

MD5 65e771fed28b924942a10452bbbf5c42
SHA1 586921b92d5fb297f35effc2216342dac1ae2355
SHA256 45e30569a756d9bcbc5f9dae78bda02751fd25e1c0aee471ce112cb4464a6ee2
SHA512 d014a2a96f3a5c487ef1caddd69599dbec15da5ad689d68009f1ca4d5cb694105a7903f508476d6ffec9d81386cb184df6fc428d34f056190cee30715514a8f7

C:\c3afa77bd1f0f5b476320500\1053\LocalizedData.xml

MD5 b3b1a89458bec6af82c5386d26639b59
SHA1 d9320b8cc862f40c65668a40670081079b63cea1
SHA256 1ef312e8be9207466fbfdecee92bfc6c6b7e2da61979b0908eaf575464e7b7a0
SHA512 478ce08619490ed1ecdd8751b5f60da1ee4ac0d08d9a97468c3f595ac4376feca59e9c72dd9c83b00c8d78b298be757c6f24a422b7be8c041f780524844998bf

C:\c3afa77bd1f0f5b476320500\1049\LocalizedData.xml

MD5 349b52a81342a7afb8842459e537ecc6
SHA1 6268343e82fbbabe7618bd873335a8f9f84ed64d
SHA256 992bf5aeb06aa3701d50c23fa475b4b86d8997383c9f0e3425663cfbd6b8a2a5
SHA512 ef4cbd3f7f572a9f146a524cfbc2efbd084e6c70a65b96a42339adc088e3f0524bc202548340969481e7f3df3ac517ac34b200b56a3b9957802abd0efa951c49

C:\c3afa77bd1f0f5b476320500\1046\LocalizedData.xml

MD5 a03d2063d388fc7a1b4c36d85efa5a1a
SHA1 88bd5e2ff285ee421ccc523f7582e05a8c3323f8
SHA256 61d8339e89a9e48f8ae2d929900582bb8373f08d553ec72d5e38a0840b47c8a3
SHA512 3a219f36e57d90ca92e9faec4dfd34841c2c9244da4fe7e1d70608dde7857aa36325bdb46652a42922919f782bb7c97f567e69a9fc51942722b8fd66cd4ecaf0

C:\c3afa77bd1f0f5b476320500\1045\LocalizedData.xml

MD5 bdb583c7a48f811be3b0f01fcea40470
SHA1 e8453946a6b926e4f4ae5b02ba1d648daf23e133
SHA256 611b7b7352188adffd6380b9c8a85b8ff97c09a1c293bb7ac0ef5478a0e18ac8
SHA512 27b02226f8f86ca4d00789317c79e8ca0089f5b910bed14aa664eeab6be66e98de3bafd7670c895d70ab9c34ece5f05199f3556fddc1b165904e3432a51c008d

C:\c3afa77bd1f0f5b476320500\1044\LocalizedData.xml

MD5 120104fa24709c2a9d8efc84ff0786cd
SHA1 b513fa545efae045864d8527a5ec6b6cebe31bb9
SHA256 516525636b91c16a70aef8d6f6b424dc1ee7f747b8508b396ee88131b2bb0947
SHA512 1ea8eb2be9d5f4ef6f1f2c0d90cb228a9bb58d7143ccafe77e18ce52ec4aca25dde0ba18430fd4d3d7962d079ccbe7e2552b2c7090361e03c6fdfb7c2b9c7325

C:\c3afa77bd1f0f5b476320500\1043\LocalizedData.xml

MD5 6506b4e64ebf6121997fa227e762589f
SHA1 71bc1478c012d9ec57fc56a5266dd325b7801221
SHA256 415112ae783a87427c2fadd7b010ade4f1a7c23b27e4b714b7b507c16b572a1c
SHA512 39024ea9d42352f7c1bd6fefe0574054eceb4059f773cfaeb26c42faada2540ae95fb34718d30ccb6da157d2597f80d12a024461fbd0e8d510431ba6ffa81ec2

C:\c3afa77bd1f0f5b476320500\1042\LocalizedData.xml

MD5 78c16da54542c9ed8fa32fed3efaf10d
SHA1 ad8cfe972c8a418c54230d886e549e00c7e16c40
SHA256 e3e3a2288ff840ab0e7c5e8f7b4cfb1f26e597fb17cfc581b7728116bd739ed1
SHA512 d9d7bb82a1d752a424bf81be3d86abea484acbb63d35c90a8ee628e14cf34a7e8a02f37d2ea82aa2ce2c9aa4e8416a7a6232c632b7655f2033c4aaab208c60bf

C:\c3afa77bd1f0f5b476320500\1041\LocalizedData.xml

MD5 64ffa6ff8866a15aff326f11a892bead
SHA1 378201477564507a481ba06ea1bc0620b6254900
SHA256 7570390094c0a199f37b8f83758d09dd2cecd147132c724a810f9330499e0cbf
SHA512 ea5856617b82d13c9a312cb4f10673dbc4b42d9ac5703ad871e8bdfcc6549e262e61288737ab8ebcf77219d24c0822e7dacf043d1f2d94a97c9b7ec0a5917ef2

C:\c3afa77bd1f0f5b476320500\1040\LocalizedData.xml

MD5 eda1ec689d45c7faa97da4171b1b7493
SHA1 807fe12689c232ebd8364f48744c82ca278ea9e6
SHA256 80faa30a7592e8278533d3380dcb212e748c190aaeef62136897e09671059b36
SHA512 8385a5de4eb6b38169dd1eb03926bc6d4604545801f13d99cee3acede3d34ec9f9d96b828a23ae6246809dc666e67f77a163979679956297533da40f9365bf2c

C:\c3afa77bd1f0f5b476320500\1038\LocalizedData.xml

MD5 89d4356e0f226e75ca71d48690e8ec15
SHA1 2336caa971527977f47512bc74e88cec3f770c7d
SHA256 fcbb619deb2d57b791a78954b0342dbb2fef7ddd711066a0786c8ef669d2b385
SHA512 fa03d55a4aafe94cbf5c134a65bd809fc86c042bc1b8ffbc9a2a5412eb70a468551c05c44b6ce81f638df43cca599aa1dd6f42f2df3012c8a95a3612df7c821e

C:\c3afa77bd1f0f5b476320500\1037\LocalizedData.xml

MD5 16e6416756c1829238ef1814ebf48ad6
SHA1 c9236906317b3d806f419b7a98598dd21e27ad64
SHA256 c0ee256567ea26bbd646f019a1d12f3eced20b992718976514afa757adf15dea
SHA512 aa595ed0b3b1db280f94b29fa0cb9db25441a1ef54355abf760b6b837e8ce8e035537738e666d27dd2a8d295d7517c325a5684e16304887ccb17313ca4290ce6

C:\c3afa77bd1f0f5b476320500\1036\LocalizedData.xml

MD5 1dad88faed661db34eef535d36563ee2
SHA1 0525b2f97eddbd26325fddc561bf8a0cda3b0497
SHA256 9605468d426bcbbe00165339d84804e5eb2547bfe437d640320b7bfef0b399b6
SHA512 ccd0bffbf0538152cccd4b081c15079716a5ff9ad04cee8679b7f721441f89eb7c6f8004cff7e1dde9188f5201f573000d0c078474edf124cfa4c619e692d6bc

C:\c3afa77bd1f0f5b476320500\1035\LocalizedData.xml

MD5 1aa252256c895b806e4e55f3ea8d5ffb
SHA1 0322ee94c3d5ea26418a2fea3f7e62ec5d04b81d
SHA256 8a68b3b6522c30502202ecb8d16ae160856947254461ac845b39451a3f2db35f
SHA512 ce57784892c0be55a00ced0adc594a534d8a40819790ca483a29b6cd544c7a75ae4e9bde9b6dc6de489ceceb7883b7c2ea0e98a38fcc96d511157d61c8aa3e63

C:\c3afa77bd1f0f5b476320500\1032\LocalizedData.xml

MD5 3bf8da35b14fbcc564e03f6342bb71f2
SHA1 8f9139f0bb813bf95f8c437548738d32848d8940
SHA256 39efe12c689edfea041613b0e4d6ec78afec8fe38a0e4adc656591ffef8f415d
SHA512 31b050647ba4bd0c2762d77307e1ed2a324e9b152c06ed496b86ea063cdc18bf2bb1f08d2e9b4af3429a2bc333d7891338d7535487c83495304a5f78776dbc03

C:\c3afa77bd1f0f5b476320500\1031\LocalizedData.xml

MD5 8505219c0a8d950ff07dc699d8208309
SHA1 7a557356c57f1fa6d689ea4c411e727438ac46df
SHA256 c48986cdb7fe3401234e0a6540eb394c1201846b5beb1f12f83dc6e14674873a
SHA512 7bcdad0cb4b478068434f4ebd554474b69562dc83df9a423b54c1701ca3b43c3b92de09ee195a86c0d244aa5ef96c77b1a08e73f1f2918c8ac7019f8df27b419

C:\c3afa77bd1f0f5b476320500\1030\LocalizedData.xml

MD5 69925e463a6fedce8c8e1b68404502fb
SHA1 76341e490a432a636ed721f0c964fd9026773dd7
SHA256 5f370d2ccdd5fa316bce095bf22670123c09de175b7801d0a77cdb68174ac6b7
SHA512 5f61abec49e1f9cc44c26b83aa5b32c217ebeba63ed90d25836f51f810c59f71ec7430dc5338efba9be720f800204891e5ab9a5f5ec1ff51ef46c629482e5220

C:\c3afa77bd1f0f5b476320500\1029\LocalizedData.xml

MD5 0b6ed582eb557573e959e37ebe2fca6a
SHA1 82c19c7eafb28593f453341eca225873fb011d4c
SHA256 8a0da440261940ed89bad7cd65bbc941cc56001d9aa94515e346d57b7b0838fc
SHA512 aba3d19f408bd74f010ec49b31a2658e0884661d2efda7d999558c90a4589b500570cc80410ba1c323853ca960e7844845729fff708e3a52ea25f597fad90759

C:\c3afa77bd1f0f5b476320500\1025\LocalizedData.xml

MD5 c5bf74c96a711b3f7004ca6bddecc491
SHA1 4c4d42ff69455f267ce98f1db8f2c5d76a1046da
SHA256 6b67c8a77c1a637b72736595afdf77bdb3910aa9fe48d959775806a0683ffa66
SHA512 2f2071bf9966bffe64c90263f4b9bd5efcac4f976c4e42fbdeaa5d6a6dee51c33f4902cf5e3d0897e1c841e9182e25c86d42e392887bc3ce3d9ed3d780d96ac9

C:\c3afa77bd1f0f5b476320500\SplashScreen.bmp

MD5 0966fcd5a4ab0ddf71f46c01eff3cdd5
SHA1 8f4554f079edad23bcd1096e6501a61cf1f8ec34
SHA256 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3
SHA512 a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

C:\c3afa77bd1f0f5b476320500\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

C:\c3afa77bd1f0f5b476320500\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

C:\c3afa77bd1f0f5b476320500\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

C:\c3afa77bd1f0f5b476320500\Strings.xml

MD5 8a28b474f4849bee7354ba4c74087cea
SHA1 c17514dfc33dd14f57ff8660eb7b75af9b2b37b0
SHA256 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b
SHA512 a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

memory/1836-267-0x00000000029C0000-0x00000000029C1000-memory.dmp

C:\c3afa77bd1f0f5b476320500\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

C:\c3afa77bd1f0f5b476320500\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

C:\c3afa77bd1f0f5b476320500\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

C:\c3afa77bd1f0f5b476320500\graphics\warn.ico

MD5 b2b1d79591fca103959806a4bf27d036
SHA1 481fd13a0b58299c41b3e705cb085c533038caf5
SHA256 fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11
SHA512 5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2

memory/1836-274-0x00000000029C0000-0x00000000029C1000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:35

Platform

win11-20241007-en

Max time kernel

1462s

Max time network

1486s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\windowkill-vulkan.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\windowkill-vulkan.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\windowkill-vulkan.exe

"C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\windowkill-vulkan.exe"

Network

Country Destination Domain Proto
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1465s

Max time network

1480s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\discord_game_sdk.dll,#1

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\discord_game_sdk.dll,#1

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:35

Platform

win11-20241007-en

Max time kernel

1462s

Max time network

1484s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\depots.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 4548 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\depots.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\depots.txt

Network

Country Destination Domain Proto
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:35

Platform

win11-20241007-en

Max time kernel

1468s

Max time network

1491s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\xnafx40_redist.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\SET34CB.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SET34CB.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SET33AD.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SET33ED.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SET347B.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SET34AA.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SET347B.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SET34FC.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SET34FC.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SET33ED.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SET34AA.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\X3DAudio1_7.dll C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\xactengine3_6.dll C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SET34FB.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SET34FB.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\XAudio2_6.dll C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\XAPOFX1_4.dll C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SET33AD.tmp C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx9_33.dll C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\xinput1_3.dll C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\D3DX9_41.dll C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DSETUP.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\XNA\Framework\v4.0\XnaNative.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\XNA\Framework\Shared\xnavisualizer.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\XNA\Framework\Shared\XnaVisualizerPS.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\dxupdate.cab C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\dsetup32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\Feb2010_xact_x86.cab C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\Feb2010_XAudio_x86.cab C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\APR2007_xinput_x86.cab C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\XNA\Framework\v4.0\EULA.en-US.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\APR2007_d3dx9_33_x86.cab C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\Mar2009_d3dx9_41_x86.cab C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\Feb2010_X3DAudio_x86.cab C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e582ab5.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF4B7420F8DDFC0B15.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\89SR6EDM\Microsoft.Xna.Framework.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\UD1MDNWR\Microsoft.Xna.Framework.Xact.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\3PVVT3AF\Microsoft.Xna.Framework.Input.Touch.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\CGD4BHPP\Microsoft.Xna.Framework.Storage.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\NZQ891MC\Microsoft.Xna.Framework.Video.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\0AA7CFB2C445A3E47869763FEB56B59E\4.0.20823\F_CENTRAL_msvcp100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}\ProductIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}\ProductIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e582ab5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\4U7ZDCU5\Microsoft.Xna.Framework.Game.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\0AA7CFB2C445A3E47869763FEB56B59E C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF9D4C1AF4EED35CE8.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\Z8A99YCM\Microsoft.Xna.Framework.Net.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF1B9C340D34C4D0CE.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2C0C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\NIGNBZFX\Microsoft.Xna.Framework.GamerServices.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\M56SZ8TW\Microsoft.Xna.Framework.Graphics.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e582ab7.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\0AA7CFB2C445A3E47869763FEB56B59E\4.0.20823\F_CENTRAL_msvcr100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\H0VNEXZX\Microsoft.Xna.Framework.Avatar.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\0AA7CFB2C445A3E47869763FEB56B59E\4.0.20823\F_CENTRAL_msvcr100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DirectX.log C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
File opened for modification C:\Windows\Installer\MSI36DB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF2634A62ABF4B6BFD.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\0AA7CFB2C445A3E47869763FEB56B59E\4.0.20823 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\0AA7CFB2C445A3E47869763FEB56B59E\4.0.20823\F_CENTRAL_msvcp100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000235a573f571b962e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000235a573f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900235a573f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d235a573f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000235a573f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "0" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e48c5a3f-93ef-43bb-a092-2c7ceb946f27} C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories C:\Windows\syswow64\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global\Microsoft.Xna.Framework,fileVersion="4.0.20823.0",version="4.0.0.00000",culture="neutral",publicKeyToken="842CF8BE1DE50553",processorArchitecture="x86" = 6c00660060002e003200510046002b00300041004c0048005600370077003800680027002100740058004e0041004600720061006d00650077006f0072006b005200650064006900730074003e0065006a0036002d0051005b002d0065003900400060004a003d006e0079005e005b005d002a00710000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global\Microsoft.Xna.Framework.Input.Touch,fileVersion="4.0.20823.0",version="4.0.0.00000",culture="neutral",publicKeyToken="842CF8BE1DE50553",processorArchitecture="MSIL" = 6c00660060002e003200510046002b00300041004c0048005600370077003800680027002100740058004e0041004600720061006d00650077006f0072006b005200650064006900730074003e0050006a006300540058005b0053007b00610039003700380070002d005d0061006c0065004900260000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global\Microsoft.Xna.Framework.Video,fileVersion="4.0.20823.0",version="4.0.0.00000",culture="neutral",publicKeyToken="842CF8BE1DE50553",processorArchitecture="MSIL" = 6c00660060002e003200510046002b00300041004c0048005600370077003800680027002100740058004e0041004600720061006d00650077006f0072006b005200650064006900730074003e00550048004a0055006e0053003d0052005d00380048004d005d00250038005d00400059006900750000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3eda9b49-2085-498b-9bb2-39a6778493de}\ = "XAudio2" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cecec95a-d894-491a-bee3-5e106fb59f2d} C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cecec95a-d894-491a-bee3-5e106fb59f2d}\ = "AudioReverb" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\Version = "67129687" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248d8a3b-6256-44d3-a018-2ac96c459f47}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3eda9b49-2085-498b-9bb2-39a6778493de}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_6.dll" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\a8122ff4-9e52-4374-b3d9-b4063e77109d\InputTypes = 6175647300001000800000aa00389b710100000000001000800000aa00389b71 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8122FF4-9E52-4374-B3D9-B4063E77109D} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0AA7CFB2C445A3E47869763FEB56B59E\DXRedist C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248d8a3b-6256-44d3-a018-2ac96c459f47}\InProcServer32 C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cecec95a-d894-491a-bee3-5e106fb59f2d}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\ProductIcon = "C:\\Windows\\Installer\\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}\\ProductIcon" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0AA7CFB2C445A3E47869763FEB56B59E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cecec95a-d894-491a-bee3-5e106fb59f2d}\InProcServer32 C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global\Microsoft.Xna.Framework.Avatar,fileVersion="4.0.20823.0",version="4.0.0.00000",culture="neutral",publicKeyToken="842CF8BE1DE50553",processorArchitecture="MSIL" = 6c00660060002e003200510046002b00300041004c0048005600370077003800680027002100740058004e0041004600720061006d00650077006f0072006b005200650064006900730074003e006000490066005200610038006c007d006e00400064003100700042005b00330060002c003900350000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global\Microsoft.Xna.Framework.Graphics,fileVersion="4.0.20823.0",version="4.0.0.00000",culture="neutral",publicKeyToken="842CF8BE1DE50553",processorArchitecture="x86" = 6c00660060002e003200510046002b00300041004c0048005600370077003800680027002100740058004e0041004600720061006d00650077006f0072006b005200650064006900730074003e0055006a0064003f003d002e00310076002400390053007e005a00340068007b0055006f007a00690000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248d8a3b-6256-44d3-a018-2ac96c459f47}\InProcServer32\ = "C:\\Windows\\SysWow64\\xactengine3_6.dll" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\a8122ff4-9e52-4374-b3d9-b4063e77109d C:\Windows\syswow64\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global\Microsoft.Xna.Framework.GamerServices,fileVersion="4.0.20823.0",version="4.0.0.00000",culture="neutral",publicKeyToken="842CF8BE1DE50553",processorArchitecture="MSIL" = 6c00660060002e003200510046002b00300041004c0048005600370077003800680027002100740058004e0041004600720061006d00650077006f0072006b005200650064006900730074003e007a00770076007100640077006800410066003d007a0027006500360077004900760034006700560000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8122FF4-9E52-4374-B3D9-B4063E77109D}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8122FF4-9E52-4374-B3D9-B4063E77109D}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\XNA\\Framework\\Shared\\xnavisualizer.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\PackageCode = "CC1B48CD503865840BBC69BD0DED73A5" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e48c5a3f-93ef-43bb-a092-2c7ceb946f27}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8122FF4-9E52-4374-B3D9-B4063E77109D}\InprocServer32\ThreadingModel = "Both" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\ProductName = "Microsoft XNA Framework Redistributable 4.0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\SourceList\PackageName = "xnafx40_redist.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3eda9b49-2085-498b-9bb2-39a6778493de}\InProcServer32 C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\f3602b3f-0592-48df-a4cd-674721e7ebeb\a8122ff4-9e52-4374-b3d9-b4063e77109d C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e48c5a3f-93ef-43bb-a092-2c7ceb946f27}\InProcServer32 C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8122FF4-9E52-4374-B3D9-B4063E77109D}\ = "VisualizerPlugin Class" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\500BB8FAD5F3D2A4D9EFC01E0702D939 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0AA7CFB2C445A3E47869763FEB56B59E\XNAFrameworkRedist C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e48c5a3f-93ef-43bb-a092-2c7ceb946f27}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_6.dll" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\f3602b3f-0592-48df-a4cd-674721e7ebeb C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windowkill\\_Redist\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3eda9b49-2085-498b-9bb2-39a6778493de} C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e48c5a3f-93ef-43bb-a092-2c7ceb946f27}\ = "AudioVolumeMeter" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cecec95a-d894-491a-bee3-5e106fb59f2d}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_6.dll" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\a8122ff4-9e52-4374-b3d9-b4063e77109d\ = "XnaVisualizerDmo" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA7CFB2C445A3E47869763FEB56B59E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Windowkill\\_Redist\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248d8a3b-6256-44d3-a018-2ac96c459f47}\ = "XACT Engine" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3eda9b49-2085-498b-9bb2-39a6778493de}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global\Microsoft.Xna.Framework.Xact,fileVersion="4.0.20823.0",version="4.0.0.00000",culture="neutral",publicKeyToken="842CF8BE1DE50553",processorArchitecture="x86" = 6c00660060002e003200510046002b00300041004c0048005600370077003800680027002100740058004e0041004600720061006d00650077006f0072006b005200650064006900730074003e0058003600520051006200610026006500470040005b002d003200630041007600560064007300740000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global\Microsoft.Xna.Framework.Net,fileVersion="4.0.20823.0",version="4.0.0.00000",culture="neutral",publicKeyToken="842CF8BE1DE50553",processorArchitecture="MSIL" = 6c00660060002e003200510046002b00300041004c0048005600370077003800680027002100740058004e0041004600720061006d00650077006f0072006b005200650064006900730074003e00440072005900520072006c002d004a003d0041006b00390052007a005500210029006f005e00380000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\500BB8FAD5F3D2A4D9EFC01E0702D939\0AA7CFB2C445A3E47869763FEB56B59E C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Windowkill\_Redist\xnafx40_redist.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe

"C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe" /silent

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Microsoft Shared\XNA\Framework\Shared\xnavisualizer.dll"

Network

Country Destination Domain Proto
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp

Files

\??\Volume{3f575a23-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3632d725-f53d-4fc3-ac1b-b2efbf803066}_OnDiskSnapshotProp

MD5 c6dcdcbdc110d6e630d06ee56bbb6fe2
SHA1 c9bb0cace736a199992123c8c92c6acd6455adc3
SHA256 52fdca28143d7625a5c874c17cce4195a7df86b0c5c9120bc014f2d46c34147f
SHA512 7acf583c70f7bbbbde59df076049257cc90fdaa5fdc97b713b440222d94c6331cd1be31bacf1bbacf1b95251c72176834fdf58e7d8f29cd395a9be7c00d85a58

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 7a4cefa1d7a539ed137f822be6103ee7
SHA1 2c6d4fc0d125412b317edc74121dc09b101b7d7e
SHA256 ed1011f1e09fd9b305e62a8658e9db5c8e7ea0f0ffadeecc3ead20d8017e0dea
SHA512 7c0761c540b7c9a4a4db511c12207aded7704936e13b71b81f6a66953dc1de7bcb84a55e2d5ee5f2edc2c99043f839c2b20d5742d86b6098b3aff31daafd375e

memory/3612-25-0x0000027044830000-0x000002704483C000-memory.dmp

memory/3612-28-0x00000000002C0000-0x000000000036A000-memory.dmp

memory/3612-31-0x0000027044860000-0x0000027044878000-memory.dmp

memory/3612-34-0x0000027044880000-0x0000027044898000-memory.dmp

memory/3612-40-0x0000027044840000-0x000002704484C000-memory.dmp

memory/3612-37-0x0000000000370000-0x00000000003DC000-memory.dmp

memory/3612-43-0x00000270448C0000-0x00000270448D4000-memory.dmp

memory/3612-46-0x0000027044850000-0x000002704485C000-memory.dmp

memory/3612-49-0x00000270448A0000-0x00000270448AA000-memory.dmp

memory/3612-52-0x00000000003E0000-0x00000000003F6000-memory.dmp

C:\Windows\Installer\e582ab7.msi

MD5 97c2eebb30c5a88c68c8f24f37183f1d
SHA1 49efdc29f65fc8263c196338552c7009fc96c5de
SHA256 e6c41d692ebcba854dad4b1c52bb7ddd05926bad3105595d6596b8bab01c25e7
SHA512 c9d1017b274ceb1b4ee624cf7e628787c32a727c64f715fbce1f1ae929d9114f8fe1291e34583cec615619b0128c01206b07efc878e7a5c57b792453f73fd0da

C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe

MD5 11dd6e8ab9759d1ac91ffe0d0e4949cb
SHA1 2a86774d0c87050d5c7aa9738cc3975303a40d0e
SHA256 16953a202265db5655b3dd972b855619728da76545a2f94bcbb6c43262f48d5b
SHA512 06828f51b3866f7c2b29861707bf8552b742e366783115b3062f08a9c0005c96507ecf1fff92ad41dc0318ad715176c39c84ff0424372b080bf7c031e4f307de

C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\dsetup.dll

MD5 4d48dbe4d3a06c497435014e5c583f34
SHA1 159cbc37080b7ea3ceae8d25125b99f9f4948341
SHA256 9d47b4fa2dcce6a02a51324cfb97f5e153086c2eb8832b211e175cbe5fb850b3
SHA512 b8029bde36e4d6581916c131ec51d74f4a2b03abf5a238c503e1c7b19980d0946606375f0b4c3bd10b9c514e084368c356be8536b282bee887037d7d7f139732

C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DSETUP32.DLL

MD5 7c7cc9feb1026678c48bbabe84ea57c2
SHA1 4fe9c466fc65cf07af0e1440743b1822ab65849b
SHA256 a5c6df12f9fe2edab2a22fe7abf3cb17eac110a6fd469f2570ba04afc88ad767
SHA512 d9cca6dfd5966d45342b87afb6091bc8ad3beff039f9bc9c523f8118dc6723337c279cd652c19624250ed3934d8f4a2b15670652867c0114b7e785bbab4212e0

C:\PROGRA~2\MICROS~2\XNAGAM~1\v4.0\Redist\DXREDI~1\dxupdate.cab

MD5 c187448c8104d30087f3f25a9d112014
SHA1 b64ac3e44f2f38a3bf8400f11a40a39039fc9caa
SHA256 54d68f154058433865708ee0dbf3ecf2d609ffbd618e84a1056440379494d9fd
SHA512 9148cece409557444eeaf66dee58e2a6043a64d7b76b91e6c4074a5ba0d066cd1ebb2c60d44e1c7a40ca1dc63d72aa7afcc410202901d5afbf2116e3ba8b0f11

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\dxupdate.dll

MD5 c4842e139fca422e265c91c44a1341d6
SHA1 299a5ab4644fe7302b515aa10ef0f1715046275c
SHA256 b1f954cd75dc3c9d5bc57f1a4c28720ee3639aa8a4306f3da7b27d3c361ff8f5
SHA512 e85a35164e0feafa73a676dacf67d275b8e8aa5be40d861743662a7d1ac8135625c2d59a73e5c77fe1e3e8bd8523d9c823c89137aa4cb1b32d392cd9a1b59989

C:\PROGRA~2\MICROS~2\XNAGAM~1\v4.0\Redist\DXREDI~1\Apr2007_d3dx9_33_x86.cab

MD5 3676d740157493e80e7b8641289c003c
SHA1 8135aeeab67151dd4e2418d4907077f646e72873
SHA256 219441f975c200352a12dc3d8f82811fc7b53ed28d63761327933afbb660f876
SHA512 abfc5ea36a7368a34193c8f3771ae4e36c0d570ae0a20b11892184cd4e384d6abe6542769e3c890293b4e640faecf6392f84f5733017d8d86c65456caa24c6f7

C:\Windows\Logs\DirectX.log

MD5 168fa1fe3040f72665146195f1df54f5
SHA1 017d4c8d75b18e4fd02ff4eb8ca9ace28a7acc95
SHA256 4176823878feb67dee16f765501cc1b05c9cd5bb6d25db41ab0d4e9b2f29721b
SHA512 13a9c5c0671459ae88fc7f4c8150d92e8783ea214443bcb74d4785d751e3bcce390bcb37380838b8a0c56608a635bc949f4b33d939b56c4f518e52103fb969ec

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\dxupdate.inf

MD5 8c281fcb5546d1ed3cdaf6e3f7303139
SHA1 de342a17f2df0386f6584e2f55ae43c558ceb6c4
SHA256 7530c6e18dbb522c5f4fbf6714962c185ea318f9eab7aeb833b0cc07cd2fe656
SHA512 344ea0a375c8851fcf413f441a1cac3013b3748d1630a4d677da72e98f41823bf9427d896de7e1fe35bf868279538cf3b8322aa6ef20025bff48a6bb7f8c42d3

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\apr2007_d3dx9_33_x86.inf

MD5 044cae9c30c88bda73727243f5e5206d
SHA1 de744e349cf4ea458b10657d510966d21ad08d67
SHA256 349a09a2791d697bffffc61410a536cdcf258f0d7c86dda44a297e8aec4bdf00
SHA512 18e501142004afbcd28b41bdd3a9b19e2eebc047d7858ee11a9135f19759cfd8c643ff074a51e937bbcab7162888fd95effc146be21fe63dfc300ef03ed44056

C:\PROGRA~2\MICROS~2\XNAGAM~1\v4.0\Redist\DXREDI~1\Apr2007_xinput_x86.cab

MD5 f83f54f45ac15a32dc17614c4f6882d4
SHA1 fc8542fcd33bb9e669806409f677edec9bfb64fb
SHA256 5ab7bb15394e4ece850da5453413ab1de2ea97d5c93f86482b75073aaa05da9c
SHA512 e4dcccc3a4299d262b94b24ff4b29394bed71e211b80a8a457acc4ab89325500082e6a9b597bc7b1dbc35746d01a9aa038a9c3a401aa42a426fcc3d15f410c9a

C:\PROGRA~2\MICROS~2\XNAGAM~1\v4.0\Redist\DXREDI~1\Mar2009_d3dx9_41_x86.cab

MD5 0fdd6e4e5dfc5d913261355746402214
SHA1 a80c28755c9d3ca163bd377d1bd951a1c111733c
SHA256 5146e15d4c65590704286bfcfbbcc31e98a6832f8a7cc3bfdcb1e7fa5a647bb1
SHA512 9eb85c4507881fc1004c906ee954273bfbea8979d70b2321f197a3cf82121734225103e4239a9bfb591a980b70400a5d19b93482abc108c46614a20476a81f90

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\apr2007_xinput_x86.inf

MD5 e188f534500688cec2e894d3533997b4
SHA1 f073f8515b94cb23b703ab5cdb3a5cfcc10b3333
SHA256 1c798cb80e9e46ce03356ea7316e1eff5d3a88ccdd7cbfbfcdce73cded23b4e5
SHA512 332ccb25c5ed92ae48c5805a330534d985d6b41f9220af0844d407b2019396fcefea7076b409439f5ab8a9ca6819b65c07ada7bd3aa1222429966dc5a440d4f7

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\Mar2009_d3dx9_41_x86.inf

MD5 b37a5ff044eb65521a290c79ba1a3e00
SHA1 ed505464894bd3e52654834487f3821ae117edfe
SHA256 bd29711cc2ecd924990167ffa95f48842e24aeed3acef1023717040240b4bbb6
SHA512 eae4408cfa7f9c39b101489688cc570a184b8a57f3d20d3b0452a581fb80c4f485dc2f512a39669a92a5bde81fbf474e1585f566ff482e87610780c23126c21e

C:\PROGRA~2\MICROS~2\XNAGAM~1\v4.0\Redist\DXREDI~1\Feb2010_X3DAudio_x86.cab

MD5 ed093ce20bddc7c42ede4daf772ed5aa
SHA1 21beb0ef8130be1c62b8467dfb67bf3f7548cea1
SHA256 7fbf09682fd15d721ff2c5cb110b5ffcf5982cd2dd8d72b708cf3cd0bc4fa250
SHA512 734e397f4ed2554944e1d1f6f799794c4027792a06e9da25bab58e6e4ff58146058d8b45ff0cb9c861f77989cad029164945f22ffcb459432e1d3a2c7172525c

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\FEB2010_X3DAudio_x86.inf

MD5 e84adf38d499ae39090ad60fd76d76e3
SHA1 6af4d58bc04aac2723e8b97649f1b35fb1aca84c
SHA256 d4da3e530982812d1e2a31570b80af541fac1b13c72997d2aad7ea3bfeaf4a4a
SHA512 6714992e7aee7bd0798fbec68f92c97ee502127580e21e1b6693ed6737312b44dbc9fd9ef579fe552590e9e5a4904df94e4116334265a34699a04aa76ab87c24

C:\PROGRA~2\MICROS~2\XNAGAM~1\v4.0\Redist\DXREDI~1\Feb2010_XACT_x86.cab

MD5 5cf3585c99a59319ac10e18cc92f0024
SHA1 c48c25e6b7094eaf337fa986960f9895e5f465ba
SHA256 0ba00c41443639dea9b816fa2608088ccef5dbe850531dff4c1e7993804b0b60
SHA512 26b8213a5105b37912632c8abc1a07381210836e620f8f70d77b3b412a406e2e38df7af037001fe27f2da874e143c59aa7dbff90a9183e7619a8e5af0a23b158

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\FEB2010_XACT_x86.inf

MD5 82c10b720e33be099f69e4010d44ecd2
SHA1 e95a2eb23db3fd610d71089500aad523f93c9469
SHA256 e850fdb84bcac0f667927e53fee943efd3f43be6c6a0ae1e17f3fff83ddb2635
SHA512 853261c439b26cdc8991ac289b9f9925976452ed613481b0cf09e75444882805ffa15633eba441d8e1a04641f5f6378b68e2270a6a48d3911d7f9c2c0b1235bd

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\FEB2010_XAudio_x86.inf

MD5 e6e942a2cfbb587bfcc4203b5bb34fd4
SHA1 2e0172ea1936911a98e11a6e98990703e24172c0
SHA256 74c827ef94881099761e04397ef8f162fd0ccaf4876a5503c4b53a5216d2acca
SHA512 3d70d76e6f459819a1703c5019a2e10fe518ee6e8eb5d3313fe57d3d1b6313b52c4904398a26841c78a9ecf9d715e1201e834ab3df47265e070ec94417a78e4d

C:\PROGRA~2\MICROS~2\XNAGAM~1\v4.0\Redist\DXREDI~1\Feb2010_XAudio_x86.cab

MD5 5da6e4a80fa53568d2fdde31cbff2979
SHA1 9606fda70427cd9f4eb8e67b625417e2775e6876
SHA256 281bb0e12f617e9ae7fe3301a7d4a08201b377caa0311a886e8cddc2526f734a
SHA512 649fc2578388064267ebe8e55daada29d2e51ae6422b10088b6bfacd229bc0439aafdc4f9af7b3b5e187df179c72b4d85f70839a8c91505d17da06d53a40cf3b

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\d3dx9_33.dll

MD5 cdb1cd22baff21f48606b3c1a18b000b
SHA1 9315b5db975a34dbebdb4dcae652ba1db01c482c
SHA256 c6b7b2ad7742dde5dd8d1a35fdc1c185e586e551ad9c74d3fb21759cd8ca4da8
SHA512 c5fb24de8f1ee6fc1ed6e74580b5d22599ea4eb6c3589645fff0b15dc8dca051c4917e60fbc00ca86542dd63a8f5e40da92ea77e24826c0c6bdba9b58c36d4db

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\xinput1_3.dll

MD5 77f595dee5ffacea72b135b1fce1312e
SHA1 d2a710b332de3ef7a576e0aed27b0ae66892b7e9
SHA256 8d540d484ea41e374fd0107d55d253f87ded4ce780d515d8fd59bbe8c98970a7
SHA512 a8683050d7758c248052c11ac6a46c9a0b3b3773902cca478c1961b6d9d2d57c75a8c925ba5af4499989c0f44b34eaf57abafafa26506c31e5e4769fb3439746

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\d3dx9_41.dll

MD5 3fa06cf5079b84155d18b05c08f7131b
SHA1 fafe52876151a08f39dbb6b4aa137dd85558ba5f
SHA256 6ac4df203af419d3f3b7d9a99e14a3490ea3ad307c474bfe36baea642b1421f6
SHA512 24d29c3ffb6532da860fef4dd93e61f7532cea3af94928495a3af0231e7dff6db5cad25713451a2e722c076462b94818cd6969a1c7d8905585b0f64e12174d1e

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\X3DAudio1_7.dll

MD5 c811e70c8804cfff719038250a43b464
SHA1 ec48da45888ccea388da1425d5322f5ee9285282
SHA256 288c701bdedf1d45c63dd0b7d424a752f8819f90feb5088c582f76bc98970ba3
SHA512 09f2f4d412485ef69aceacc90637c90fad25874f534433811c5ed88225285559db1d981a3ab7bc3a20336e96fb43b4801b4b48a3668c64c21436ee3ea3c32f45

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\xactengine3_6.dll

MD5 f81c4678a55ffee585ac75825faf5582
SHA1 8fb2e6cf2a022eaed2ff5e3e225b3ca1e453d1cc
SHA256 8a7e7c5ac2e6230f0249d46751522e7ecf85e7490cf7491ab73bf2e7e59e4c0f
SHA512 8c8071bc2640d5c0fcf140ad68d4788cbb0706d17313c3cb74e25624a748b282acbf77eda678cf0d5fecf2ec3d583508c6f4eaf5c84073909b616f59b4f4e5fe

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\XAPOFX1_4.dll

MD5 e4ce2af32f501a7f7dddd908704a0ee6
SHA1 9dc2976efb15b6fba08bebdeb98929b6961063a5
SHA256 0aee44b12913a95840ee6431d90518b0d72c54a27392e21ee6995e2151554a06
SHA512 ec14a58414d595a36c6b575cdae690f11481cd3f0b35fd2f4c6a6d162a6272882cfe03da865e09a34972775790529f51c80b69056a2fcb909f25b549ed2f7f01

C:\Users\Admin\AppData\Local\Temp\DX318B.tmp\XAudio2_6.dll

MD5 4976243bd70fae3d1d24e49739ab2710
SHA1 6ef27b10bcf4e697fe77c3e964b326be11e4444f
SHA256 61b57170f7c6365714396072d22cb98746718c0f44c9f0d5c62fdb1b218639c7
SHA512 af2d6aaad44bed880a1a2ee947618b142c76a5eca42d4608196b74df9108a9649059d8207e84a58b76ad43aefe9b66ffcc519f8126667177011cf4199f163e83

C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Xna.Framework\v4.0_4.0.0.0__842cf8be1de50553\Microsoft.Xna.Framework.dll

MD5 343f79fe3dcfe0828f7ac2a13f8f7210
SHA1 8daafd2b9e44f0b46b2dc6ba4607ef155964db0e
SHA256 8b7aa4c4939f243b21432747281cc8aacdcda56191a16d9eaa036b4136cf0da4
SHA512 651d7acf8effe6a77ce094c88163adb950830d2f5779f900129391f2f9ca7393163749084e861fbd742e26f61c350225107d64dcf888c0b5d4ac9de8ae99d44a

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Xna.Framework.GamerServices\v4.0_4.0.0.0__842cf8be1de50553\Microsoft.Xna.Framework.GamerServices.dll

MD5 f1e460b7805cbc4901c410f2767912ab
SHA1 01e7f335e58af5140bc7953518739f43c59f1c98
SHA256 627e84c06cc4e409870b068c9ec9149adba425e47e64185f92d839db2aa35484
SHA512 3f34bb839deb6af6b68946aaeac17fa3a1e419d2f8310f37d1f460bda329c2bd46e380fe18f883389dcc64e482e596a0b31e0291b202abefe1c6976d5dec8751

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Xna.Framework.Storage\v4.0_4.0.0.0__842cf8be1de50553\Microsoft.Xna.Framework.Storage.dll

MD5 17c4074e1d0977182060959ec63e18a6
SHA1 af73bc4b90899793525ca472a1b90312c33063e9
SHA256 7edbb80c699ce3ead8aee5a512ee34c7718cb5dceeb1d0577e788ad8d0ad9383
SHA512 b7d7fc7b21f3fd480e6ee40cfb3682b898382ad2397cc38ef7258db68dcac31de0f64b8adae5ac92d0b31c3cf85c2489a04dfa77675104134d874fb4871e91b0

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Xna.Framework.Input.Touch\v4.0_4.0.0.0__842cf8be1de50553\Microsoft.Xna.Framework.Input.Touch.dll

MD5 911fbe5496efbaed4ea67497fa63c633
SHA1 570911a579cd752ceedbe9b07efc1c8c832cfda9
SHA256 2191bad4540b50723acbda55bd2c6e5d80cc6f84ad989ff89ddda672348577b2
SHA512 6ffc30116c62f9a91e5d6fee4133e87417df14aafdf5443f7002b46c20ddbf0eca242ea54f8711b31defb42ad0ef3f5f11b16e699ce3dbdaa728ec1661e00d7d

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Xna.Framework.Video\v4.0_4.0.0.0__842cf8be1de50553\Microsoft.Xna.Framework.Video.dll

MD5 94b8554692a89f1955b9219e0f26442b
SHA1 cd34862740a30b2f0fd391fa16b082edb79d155b
SHA256 63c7673c936747abd9ebe779e8837c8b8add2c078a31216684fbf8c6bcab2745
SHA512 9a6762e9cd8bd26dd347c8166dc59b31159c9e5295d39773c69228d73b5f3f850bbd41f733b1f880623bcd4c929f13d66e2168f2e1972842a6e031d069ec92b4

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Xna.Framework.Avatar\v4.0_4.0.0.0__842cf8be1de50553\Microsoft.Xna.Framework.Avatar.dll

MD5 7b26de335983eb8b800a67ef5ff077d5
SHA1 f614672dd8b25985a417ed339a6a6532c9e57800
SHA256 7688ebdffc98433eef8aada293a8c4beec6d6acfc0e1f91ca8eb2f1c350e7cec
SHA512 fc14dcda0703c8ade152bee32b4c4175c37e98500cc1370d4de0ffd0eac398edae3a42d29711e6ec841231fab0eed228fc6eba69347b54a8e125866ae6822043

C:\Program Files (x86)\Common Files\Microsoft Shared\XNA\Framework\Shared\xnavisualizer.dll

MD5 ba187b4db5dae1bee29e6f18b7775b8b
SHA1 efce87100c26165cfd7eb627534e42cb72ddb5b7
SHA256 11bcc9f47d9b0397f6d78c08e7208ee812cbef54bb02a8c3a681608879471c8c
SHA512 c9c2c3760e495c611a925bb5ae162d4c4ac90f53e2c0a9d20f68085ab43cc0f0a7ad1d201564649e4cf67ef4402d874626c6911f01f8a055da0b993730afc12c

C:\Config.Msi\e582ab6.rbs

MD5 683a327af03687415b24f1a09b738b8e
SHA1 b8d498bcb58143646216d0ec909dfe1566fe5b34
SHA256 c082a4f25def64f955882e537fb87a832a46090eff4b30d7dc79db159463ea7f
SHA512 9d89eaca56428fe8bbf8d7553ebe2557a703c7b49f9f723e5ad9949b58a793c8f70edbb015574c5a242d5b33220e9bd04ca4ee64a86429517228763dbaada8e3

C:\Config.Msi\e582ab8.rbs

MD5 e7adfa64294c5a63d7c66b927a393177
SHA1 af7e8a42325ebd6a9a061ed78a5885ade1451059
SHA256 975cfb89537f143b27efd81c04d44e34d29987524685806c0888698ba9e097a4
SHA512 e0f9344a3e2ed3478126eb26ad2146cf36e80bb1425022ab5883ba76d6dac19e40e2911ac3d351e2afa2e4aef88046f3df01adc00d4c5079e49b0e0edff1ed7f

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-06 09:02

Reported

2024-11-06 09:34

Platform

win11-20241007-en

Max time kernel

1463s

Max time network

1480s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\force_listen_port.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 568 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 568 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\force_listen_port.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Windowkill\Windowkill\steam_settings\force_listen_port.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A