c9f2e2abb046ff2535537182edf9a9b748aa10a22e98a1d8c948d874f4ffb304

Resubmissions

17-11-2024 19:15

241117-xyamaawhjn 8

17-11-2024 19:03

241117-xqtp7awfpq 3

15-11-2024 07:15

241115-h3byks1bka 8

Analysis

max time kernel
322s
max time network
323s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-11-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamtoolsSetup.exe
Size

978KB
MD5

bbf15e65d4e3c3580fc54adf1be95201
SHA1

79091be8f7f7a6e66669b6a38e494cf7a62b5117
SHA256

c9f2e2abb046ff2535537182edf9a9b748aa10a22e98a1d8c948d874f4ffb304
SHA512

9bb261b4ed84af846e07ffb6352960687e59428fd497faa0a37d70b57a1a7430d48ac350fbb0c3f0f11e4231a98ebca4d6923deba0949fdd7a247a3c02737355
SSDEEP

24576:4Fa9OUi2VoN2gZ1M8UQag3BXrYZt+GgGTfG74T+TRcL:Z9OUiTN2gZ1MExEZkkf+4TARg

Score

8^/10

steam defense_evasion discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
3880	SteamSetup.exe
5080	steamservice.exe
2972	steam.exe
21612	steam.exe
21548	steamwebhelper.exe
8544	steamwebhelper.exe
21144	steamwebhelper.exe
20500	steamwebhelper.exe
18648	gldriverquery64.exe
19544	steamwebhelper.exe
19948	steamwebhelper.exe
18904	gldriverquery.exe
18732	vulkandriverquery64.exe
6680	vulkandriverquery.exe

Loads dropped DLL 53 IoCs

pid	Process
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21548	steamwebhelper.exe
21548	steamwebhelper.exe
21548	steamwebhelper.exe
21548	steamwebhelper.exe
8544	steamwebhelper.exe
8544	steamwebhelper.exe
8544	steamwebhelper.exe
21612	steam.exe
21612	steam.exe
21144	steamwebhelper.exe
21144	steamwebhelper.exe
21144	steamwebhelper.exe
21144	steamwebhelper.exe
21144	steamwebhelper.exe
21144	steamwebhelper.exe
21144	steamwebhelper.exe
21144	steamwebhelper.exe
21144	steamwebhelper.exe
20500	steamwebhelper.exe
20500	steamwebhelper.exe
20500	steamwebhelper.exe
21612	steam.exe
19544	steamwebhelper.exe
19544	steamwebhelper.exe
19544	steamwebhelper.exe
19948	steamwebhelper.exe
19948	steamwebhelper.exe
19948	steamwebhelper.exe
19948	steamwebhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_070_setting_0040.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_080_input_0030.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_110_social_0303.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_support.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\icon_game_frame.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\dualshock_4_french.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\switch_controller_spanish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_l_click.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_outlined_button_b_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_left_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\VoiceChatInviteNotification.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_l4_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_outlined_button_a_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\aom.dll_	steam.exe
File opened for modification	C:\Program Files (x86)\Common Files\Steam\steamservice.exe	steamservice.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_030_inv_0060.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_details.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_r2.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_p3_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0320.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_button_create_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_l1_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_lstick_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_r2.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\StorageClips.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamclean_swedish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_outlined_button_circle.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\offline_indonesian.html_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\flag_inactive_bottom.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\scrBottomLeft.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_r_swipe_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_dpad_left_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_rstick_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox360_button_select.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_status_web_ingame.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_r_swipe_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_touchpad_touch.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_button_a_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\LaunchEULADialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_grid_down.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_koreana.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_dpad_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_dpad_left_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_ltrackpad_ring.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_p4_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_button_share_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_profanity_thai.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\steam_client_win32.installed	steam.exe
File created	C:\Program Files (x86)\Steam\logs\bootstrap_log.txt	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\btnStdRight.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\dropdown_online.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\emailreminder_close.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_ring_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_button_x.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_rb.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_touchpad.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\steam_controller_russian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\hp_r4.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_button_l_arrow_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_mouse_mid_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_banned_hungarian.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\cloudsyncwarningdialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0090.png_	steam.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	steamwebhelper.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763445887691904"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 359063.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
2512	msedge.exe
2512	msedge.exe
1960	msedge.exe
1960	msedge.exe
1988	msedge.exe
1988	msedge.exe
4240	identity_helper.exe
4240	identity_helper.exe
2304	msedge.exe
2304	msedge.exe
1600	msedge.exe
1600	msedge.exe
1552	identity_helper.exe
1552	identity_helper.exe
2024	msedge.exe
2024	msedge.exe
2248	msedge.exe
2248	msedge.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
3880	SteamSetup.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe
21612	steam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
21612	steam.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
21548	steamwebhelper.exe
21548	steamwebhelper.exe
21548	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3880	SteamSetup.exe
5080	steamservice.exe
21612	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2412	5064	chrome.exe	81
PID 5064 wrote to memory of 2412	5064	chrome.exe	81
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4868	5064	chrome.exe	82
PID 5064 wrote to memory of 4140	5064	chrome.exe	83
PID 5064 wrote to memory of 4140	5064	chrome.exe	83
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84
PID 5064 wrote to memory of 2936	5064	chrome.exe	84

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1ce6cc40,0x7ffe1ce6cc4c,0x7ffe1ce6cc58
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3596,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4368 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4256
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff745be4698,0x7ff745be46a4,0x7ff745be46b0
    3⤵
    - Drops file in Windows directory
    PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3752,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4640,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5060,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5240,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3432,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3532,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5048,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3828,i,152707719875715653,4745201304018557298,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1616

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1d033cb8,0x7ffe1d033cc8,0x7ffe1d033cd8
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3858198764471672274,5865842412862952355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:3804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1d033cb8,0x7ffe1d033cc8,0x7ffe1d033cd8
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,6642410112692843967,14744498049579030952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Users\Admin\Downloads\SteamSetup.exe
  "C:\Users\Admin\Downloads\SteamSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3880
- - C:\Program Files (x86)\Steam\bin\steamservice.exe
    "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4820

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2972
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:21612
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=21612" "-buildid=1731433018" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious use of SendNotifyMessage
    PID:21548
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1731433018 --initial-client-data=0x288,0x28c,0x290,0x284,0x294,0x7ffe1c86af00,0x7ffe1c86af0c,0x7ffe1c86af18
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:8544
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1731433018 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1572,i,307756503955367539,7363770148395921242,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1576 --mojo-platform-channel-handle=1564 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:21144
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1731433018 --steamid=0 --field-trial-handle=2140,i,307756503955367539,7363770148395921242,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2144 --mojo-platform-channel-handle=2136 /prefetch:11
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:20500
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1731433018 --steamid=0 --field-trial-handle=2708,i,307756503955367539,7363770148395921242,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2712 --mojo-platform-channel-handle=2704 /prefetch:13
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:19544
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1731433018 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3020,i,307756503955367539,7363770148395921242,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3024 --mojo-platform-channel-handle=3016 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:19948
- - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
    .\bin\gldriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:18648
- - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
    .\bin\gldriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:18904
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
    .\bin\vulkandriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:18732
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
    .\bin\vulkandriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6680

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004C8
1⤵
PID:17908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
6e6a2b18264504cc084caa3ad0bfc6ae

SHA1
b177d719bd3c1bc547d5c97937a584b8b7d57196

SHA256
f3847b5e4a40d9cf76df35398bb555117dfe3626c00a91f2babdedb619d6ad53

SHA512
74199ff275400b451642cde0a13b56709735676959d65da11ac76dd645ab11dac5de048ff7ede0cb8adb3a3056b3ecbeb3dc7481bac3768d02051e564c74b679

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
15KB

MD5
06d10c88dfaf3d83210d28894a0a462c

SHA1
fac86a09b40b7ff8e4c74cfaf4347cd07254791d

SHA256
5de97f762e68e30d7e67d2e859a93f6bb7c3a623a73cad1a445579054eeee19e

SHA512
0ceb09a6e5b1aa3766c72b05ac92b2d3be9a4ec3ec0944058139f68f075235ded4f87594a4c1c143e0e4bb7e6586f878a0f86790a78d6a47b7589b3e62a52477

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
a2ec2e91c3ef8c42e22c4887d032b333

SHA1
e2c738a2e9400535b74e2263c7e7d1ecefe575f2

SHA256
8f9f970835f133258a7f740126012439385bbaa5a1d6a9d0d967a390977441c3

SHA512
b069d241efb19e09ec8b5e60ef6c43e00d5cc0f774b9340127c2180356dd1964ac625c1afdfaee5f99e72b26f56046fc329aadbbc365b403af765a55e9c9aab3

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf~RFe5c170a.TMP

Filesize
184B

MD5
3cdebc58a05cdd75f14e64fb0d971370

SHA1
edf2d4a8a5fc017e29bf9fb218db7dd8b2be84fe

SHA256
661f122934bbc692266940a1fe2e5e51d4d460efb29d75695b8d5241c6e11da7

SHA512
289c40fae5ec1d3dd8b5b00dd93cf9cada2cb5c12bcfefea8c862ddf0a16dced15d6814dad771af9103b3a5d3016d301ee40058edde3fdea30d9767146d11cd6

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\875cd2b6-f949-48d7-aeaa-749b425d7b4d.tmp

Filesize
9KB

MD5
2392fbd4510c05d4349ae19a16f85df4

SHA1
9692e74905ae62ed5401cb2210771c11a3e5489f

SHA256
bcced93facbac0078adf55ee012bfcae173605fa74973a17f1819058935046eb

SHA512
457799d0a31545e3ffea5c99a3d509b6ce914389372bd2e023bf92304b560e5dfd2ff5814d5a5aac069af9449e19fd4703631fd99f54dcb7865cd53a2d16dc51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a63a1a396d3064004e4656110da1ee13

SHA1
286e05b4ec56d3dda573c6d9e970ac53f34cccbe

SHA256
cadd8eca50ef1a3a89fb5008e10820fb663747a237da2dd3cd27d5d973f287d8

SHA512
1492b4d8cba3e9fde2a7810f0ac8647746bd7ea738d0544607678b180110817e8bf5d4982055d364277a4eea66f609ddfe0b535a3b331278d1207a2e69afefcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
c8b3b08e44e0f83eb6e067e582f28e0f

SHA1
78525851ef6ca212cb6d9e21b5e2ec5f0929b20a

SHA256
c7d26acbe796b7c5a0205fbacf8c01ba91b94c7a5c177cbe724eb18ea041e53f

SHA512
a99c0cbfc17e53d203af5a2eed92dab6c5cf330c6cd9025654eb0b6a2df5515ee8721ab22cee6407cbe73ebf517af12a29c048953f7f78db68cf781ab4b793a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f36fc629dfcbb39f6e55bad7b7cb6bb2

SHA1
ae22a098c092d619f5ff181907eb2cea4b52b0f9

SHA256
9f73f067a6afc6b2039075cd1133853c335177640a3eb5add9f0bdf033799246

SHA512
62c97f30e31ff8c3732875434ea35777ecbc3114f0a88265e449f77d41b98755aefd0809133469d9bfb1756edd9830035d243f7d96a94dcb383dd797746f6ff9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3091b0852882d6ce82b5c17e344f1048

SHA1
e4b63421efde821df32923610906f88d3a98a9ce

SHA256
c1e37b932c27195802d88ce93c2ffd506b92f184a830ca5257c4811d2726dfdb

SHA512
8abed705069b0b2d69b85a9ebf2dbcbd5288db5ab99f31819df5d7122a07943068096c96a3aabd6061cc5a3b37f56d8843b60f6f5e1ee22fab9649342394d3a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c4e17cff19245183c4e996eb36c1c5c1

SHA1
dded15f699262c967a1637543fa0121a4512c8af

SHA256
4f5937ef3e0751c7a45c0c4b3df273ab0606f8cfe9a508677222ae6fc89df4c9

SHA512
7bd114ac2e3a1b530d0349ab8f0345162a5a013891d1f4751118be6598a0aff9b0a05249ff4ad6fafccb8b1924801366198de7afe04323ceb88e7defa932cba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
32e503b61ffb146429981ba07ded4b84

SHA1
ae433b49f1dad86beab5fc5bf0c26729104bf28e

SHA256
7680f56a6271afb2dde7653636a3bcfed375af41ef8e7a12e4d3f505f8215c58

SHA512
529921cd583c08d2f04f3c374322e7f8d4733ac91c8d8bdd7aa9cfe9568567e673ae7eb08a661f6e8486ca3d279fae74ed408e06e34a3d4e14174bb81b9e0a3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f9ffb8704d604fdd959b51ace662042

SHA1
5eeecb770a71475c9fa8736fbefd47ae27d798b8

SHA256
a509afcf6a36caece3954ac61bf42dc83ee7efbe0735243de70f8712dc56a4eb

SHA512
80c21350b9aeaa86785e5369b7321915daa5690ff2def53f04b7be27174f7144f6721d4d4bfda201fcbc1d38a3fd2d9c46a3d62ce8a7f4355b0fc2c5f260f3d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a4bf55fac6c9cb357e7f6465115f29aa

SHA1
ed3fa394e258c9b91755c4562e1dc9ebd86e1206

SHA256
ef53e219f6137eb7bf92d76ed735cb5e68b3fecfcb59ab4ccb1b2edbc9f381dd

SHA512
05915c4f2e4a1bf80f7d23fb83ae25e64f5bc9e357d3e22bb0ad4b35afac7042d3fd51bb0030d4eaf0a9e3d2d9d991cf6404d2a82c0fd4b2d23e24fa8c311a75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
467ac6b3636e8ac50a3cecf9428af0ee

SHA1
7600882b967d119053aafdb55de512e044742556

SHA256
79dd626190f010733c96807c3018ea8741268d8b21a00d2444600b26e487b361

SHA512
f97201c61176988f1275f54e201e0db36e318891d354b032a1f0919645a4aa5f233d97691c598c2e71a3a9014267dfe921123e035d16c5afeb938056d7e95e74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
0c55d84764d38247532af63714c36c2c

SHA1
835327dd5d56f6d9809178235f4ca0535964af81

SHA256
6e9b2e766f9c7789aa44aca34ec0ea55705f83ddf17f1cb2f1013d24c3762db9

SHA512
84943b611feaa722d757d965d59cff2bc125ab81934ba0c8fd6f1a9a4e31aa08ed4723837fb0bd404bc8135694791b30b932b866c5245cc3b73a5059d885ab7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
695db693f9d78d2c5b842e2335e637ad

SHA1
24bf0f1ea2ac7589f681d6bff052af078e866e35

SHA256
66394e166707c3bd61741661eeccb9adea7beba5368d318f6a61a75b9dc2a7b7

SHA512
c0c8618c4181fbec5cd8e84faa8f3e52f6ed0b13cc3595c95e0368ffba8403f7e352232cee2066ef17be3346c4b03689f1a7242dbafe9150cefee60eb8ed9406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
100d3d5b55d5107ed511419cc82c0ace

SHA1
b283d09a87db7ea17b192dd96ebfade35b097abc

SHA256
743417e56e127d9027b009613faf63a453dae6d94324e0da20b6f9b28c6b263f

SHA512
2ad9e86190195b8d7cc7673720ab77b9fed7ca70f3fe4f4bb7bad6dca8a4fc79ee4fbceedd60a921d2fb0665821d0365d43418efd1502e69f6b24b1ed73fb0c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
80010dc4071a073cdff4483cd26c1238

SHA1
d530f2f8d027a8f3eaceb96bfeb4523f354d238c

SHA256
0aa1bf4b6de96290433e74e3fee556b341bb56788251e98e5f782b54a5758f2a

SHA512
8ec499682e1c2c64b112760586cd19eb15114a629c6baff079f75936178c1fed0328b36a3bd7a0f935dd53cccd3342ea371a248493405cf4a97f235664e4442e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
1790b7e30b461882307461783d3f27af

SHA1
0dc0bdacb3b2ff264eb64f054679bb78b781babd

SHA256
d3f4321f65d36d0e506275f55e2303bd6301662bcc42ecc8788cf6bc413faca1

SHA512
275f36cfbee65362862e3c9ae66f82f1d0850fd0d92885e3ed98f9af0e57447f94ca5d12bd778224fdf01e77f8e6c324fd13cb2cefb808077a6aadd068359e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
ec175b03744168bbe905050dc78cc30f

SHA1
124695eef76e752c73638b30cabd18bb128486ba

SHA256
6af74afd644a39f026c1a57ba7f641d6ef542495acd7d3dab6ecd9ad64aa4202

SHA512
e850bdb5c79c1a8d9cc828e690ad9493687db9938498f9f3d52bd39e179b255cea49cf633f843df4e9eca4509d2768e7f7ca0f9c534eec136ab3228b0d6ddce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
eb2e4cb40a16be03ed908df026b8acfb

SHA1
756f40cfad305c8225771dcf3b6e45acb1c4c071

SHA256
69adf8b4d39ad82d4511f681377a4d5a4f392a6868016be63396f90c3431a4fe

SHA512
bb3b80d7975a44cc098b6cd8d2b0c79996517d275e1c24d9238e92f0c2c391215a379318821f39b446fe5724df1696f4b3a847006040ea2e84388fc155d6476b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
8185e83e45566867ce34abf333c6e44f

SHA1
54494a99472cc0451880f80e8c98c6086995f71c

SHA256
68b67668c74cc95e40437c3f5183e893fd0168b29513f8266d247b436ed30b02

SHA512
7032a0efceae1f42f1d9045293f3b719949ad2be3da763c6106c4ec7fc244fb6c1bed2b23535524899209d5347bc0b655344ab7efeb26dc639fc832553bcce96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
101fd8e01a7d2699516947059ab5c644

SHA1
e4b07e39560ddd250bb8dd1b739019372bb88a45

SHA256
da54793d3d3a60e28af1c02776495e37bed4a6ff2e6a7ab00e2433e34d4b5c2b

SHA512
3fd6ab4c6b5dd077d71db511d9efa6c96eda37d855c1be690846c7705e25f02ffab869b159f5646b3c479b645e436476cfea415ef72f8431e11a489c1fa6f752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
966f35decce704ade24c6fab8e1b6c67

SHA1
fe6f2b110f757be8464c0faab510f68c9de74b13

SHA256
8a97dc99752799175487e77d69be80ab82887b2bdad69c5486947a85315f7610

SHA512
eb76eb8025c48726ecb634bece6c3fb0b24148ca88265e771dbb02658852e89ca33fb745d3f384e00b9e8ea050bf45f1ac9a0b995f7addb2869f77dd0a2e6854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies-journal

Filesize
12KB

MD5
b10d67b03068644a4a113f05f5c411fb

SHA1
4be7e57654860438996de670a47276f3e9a0b21b

SHA256
b1d0e0857252b52c0b45dd76cf994b1be2af611e1868d5a36b7a1a9043ada7bc

SHA512
dd0dffde3854cadd99a2d8e501f971efde2d44037f09d02fbf5393e6d4b106aa37d684ca2319b7f5003ef8160ad2de7268263fa3cc38e02266a871874c27322f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
db7661945d445da989209b679f17a7aa

SHA1
cf3e4546c01b94db344251de008c4eb5b60ea0ce

SHA256
0d2e806474e646181762acca57f56159b1de8b91d1a8ec8809aef980569c1f71

SHA512
d614224d71a87212cc30acc8747f7f5ca900ae59147ad8145c5717d02da65b50682111ab5d715ee6fd455adcfd7401a3eaee3640d1753ac356de5a49f5e8ee0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
742a0bd9097ddd940f001080b1da2e26

SHA1
a1cfdb08c333cbb644536b1d824a78f21cdd8d20

SHA256
e078da29c1f49406e0d2ddf1136ccfb445bde620ccbe0672fbd844e44a4425f4

SHA512
27be6d939db14a6f91c20f441e1f3b856e4ac4cc8e553614273bf497fbe3975416223832632dfaa153c63f171c3d1a43daf171c8f6e323e0beba9e560d57ca70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
623B

MD5
8d48da43cfaa921003a9c4f2c3b8223e

SHA1
423a4b9ffe6e5c154ba1e2c28fac7e7fa57052e4

SHA256
a1457198025fd1b99ad796632654decf558fb69e6e2db6b3d2fcac00b182ba63

SHA512
5499bd59283f72481760844d550eb4b190ffdae4d59a130b08b89a16e07ecdd57dfabad0179f99e00639fe37e2447c81431bfb80ec14de64296f95fba110bef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
f921a4d66c17a5a91d7e9ff168da3899

SHA1
e638ea75e292f7ad1b8b97bd9ce09227506100d6

SHA256
5bf411b942917cd781e9b3fae69fb731f27126c725a7ea76c91d2e532b42d89f

SHA512
b4010afb551881744e271e6d9eb6ed452ac00f816e3437f2da79d06032af0720262ff56f03991b6ca18555088358ffbc65226f9e6944f1ee40330d5438cb9511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
367B

MD5
264f5853a3f1207d5a8d5db5d22d188d

SHA1
f9fa3854c56f8853a0d3c1d697d5b3d3c668b087

SHA256
2e6d9fbaa3df1919071baaebee4c52ccc5e23643756843aaa1bc61c12d85adcd

SHA512
3dbbab35789610217ee372c42a322479054347200a6e586150d98b8db0fc585da9b21db365fb8a3afb2f5f95eb4543b7e6135d8f35f0bb793865a4234e1d932f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
196B

MD5
99e4c5f9939e49a53fb7dc19a6f95154

SHA1
1ccaa5af13431b01d924b216e6329878cdbd5a08

SHA256
51d31f383be2000475978e2242305075b3660149a7641f40c6d8b159b1d7f1e2

SHA512
41ab2ba763c8096cb14dfd1dbd3b2a77fe1ba3909294fda63167c94b06ab265191b947c8ae8a45b32766c7f0c77e016d6100d970cfc84b68ddff00d87dd40263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2447082ca24e74b218a438345f74c55a

SHA1
55977bc7b96cec24a4ce4b86386a5a6b91a109ad

SHA256
e9c472ceaa320219a1d1b368861354c37e3827ba3797be557bbc9785384e41d8

SHA512
55f4fa66fa98698fb0989ca7eafe108fcfb8b5fe12b44da1061ef16471017d209177878eb91310cf8deeed356f5ba4e8dc8b44e265af8cd80048338d19707832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccf3a5e60b0c106159c3e1cb8fdf9e53

SHA1
637cbf0eb44320176411fc1fb99fa323e179f1c5

SHA256
662023847d219fa451fe31c569ca61f25866790eefe843548ba69893f273df3d

SHA512
5fc69b8110935373de165f6707b020d5b329e2dfd84255fb1f785894caf2d3328bc9696bd548d1970aa05550d5461cf23c679bd5e85657555aadfa87cd207869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06d5c80931d2480c61a27f45c43c293b

SHA1
3a2fae8e8ecc5f7d98e594fb984471902cac5ea8

SHA256
1e7ee997d73c6073bddd22bbc33ac3da37d1880b73c2f11721238bf73db1f7f4

SHA512
392dc067cb8ec852655f989de915a68afddf3ccafcb766a099f6ad4058692442cd9160710c493267a91032e893be2ca347a7653c6c602cf6d0b06e10c05a0630

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
720d6e1e1c4fda80e5fce2366ae24dec

SHA1
2e6009a905f9c7f4158d60db56098e9fb9bf3e75

SHA256
1240feae1e633c978214d18f96a831a72b0be76578f76bdc2863ec27447460db

SHA512
ef0afd18022b352623493e3042f696209821737dbfbec84b893871353bf1edd79448ccb094f5f9ca0d02bfece2fd9195ace314954cea817460466ae8d8623458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
146772a1aa73d78de3a69a7903ca3889

SHA1
5865f578fa5a33b15d3bef1f6c3892ef87bc668a

SHA256
e9093f668b680d19cf3bd0f85de566fe2e7a30d51e76ae2a77d9299b0d4fc7cf

SHA512
601b64b11ee8361a368a563112ff6eaa51f568c357d22daba1504b8cd6b06941e349e6086cbaa689795e613e018338b08a7a62f47cb5c80e0be9fccdd4ee5225

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6702e9bd1e73ecb9608dde41eb0569f0

SHA1
0e5360ebe3e1183e7c5ba9e1f6987ea80ff885fd

SHA256
573a53ceb848253448d40f4689afe9b685e17bc1a5d72c723ab50d32bec5f014

SHA512
95d16daf6df1472226353e51bb865a8056568bc7eaa51bcaf77df67729a50c79c09407f7bb709b5d80e1fe3d0b97de48f7fc6c425bfd3190fb798a926e46a872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef8f7817a29fe294c7ebafd90f38f06d

SHA1
31c1e394e9d5682619e567651573dd32e842d4e4

SHA256
09e71e594d964399df4521397ecaaa1ab66f262cb82305b26605a2e644ed3329

SHA512
5f58b5f6161337575ded833440ffc182f89adb51358c978f6c1d95a123da9c1fecba2fca2a291e4c03872eeb48994d673ef79e809332a1179d68ff7113f9b291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
62c85bcf247fa683ac52b863da0423ba

SHA1
db25a5746feaff99ea513af105e05fa3b5fbd682

SHA256
e76f144a5e6c111786b8e5435f277fcf4522165c768790b8f71668e80e0080e7

SHA512
04449765ded2d75d725227b8f1f5a4787438d663bd36a965d4f4070c8b511f881c2e9cbf478224b496685708ffb808e201453971f951fb0475c6c4f22cd1b82a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
156B

MD5
fa1af62bdaf3c63591454d2631d5dd6d

SHA1
14fc1fc51a9b7ccab8f04c45d84442ed02eb9466

SHA256
00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d

SHA512
2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
7e4dc770e77571c695af54494c4bcacb

SHA1
a9051fa81e1585c79fe8fccbe9a091cde999500b

SHA256
277c0bfc9ee4ec2cac741b45456b5ead25000334bf533d1c20a14566e7a3d63d

SHA512
91c12bbb4640301fc3f4297bb1ccf4d573d7241b3281a6f79dad2d2de3d0a4e747f29a976ca3493a7354833ef7423df933ff934a7bfc8d37e5b2de14370ea1ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13376344655526183

Filesize
3KB

MD5
e468c7d1ed74e03b2c7e91d4c993b5e1

SHA1
656579a606023544d6510b6c251d3ba9f509e0f7

SHA256
432aefd82218927fa4d3f146c5fa9736787e178530759d8521b20cf119486d6d

SHA512
1fbd04ef3d0a4ae080188472f298b86c15df068bff582e46b6cd437045a1308cadca620e9c99254ad6d92b906d2f42a5a51c0dd1f550e9233ed78bb4f5f6f685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
100B

MD5
5bb5f7141923b338927edb0a71898ee8

SHA1
ba27adb38be83fee3339daa3cadae001b33d32e1

SHA256
fe84ff50b3c61310f0723c00cea55bffd595137e7a6eeac191d4eebc564e880e

SHA512
332e253958146be0dd35583c82cbcadaec06ec0d81099c0881f30ff69e7190e5bbf57bc526d1b353855be89c8b7bbc5fbdc87d95c014133caffcf0f265652aa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
c4a7a2eec52f62c795b082a0ef6411b1

SHA1
bc0b4318c90d4dd5112f6abc56de97203fb58221

SHA256
f51c808bea7812a80923419fa7c4ec33b6005b762de2a4c52496432bedf3a4a5

SHA512
4ce28a42789b75850b8c9adabfb771f7328f99058134eb7bc59f899c1acfb48c21babe8149319f93781ead659f4a92c78d3e829ad2bda661eeed3e8fab1876c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
2b3550ff8b5a9e32a2dbe9d5e1db17ec

SHA1
cd4017d82fffaf2fd2c5066a03885417bf24280e

SHA256
156af877de365e88fd92f8eb76883564ba47c4454830b7f528645687d3cff32d

SHA512
ba89f76a03143b17dde63ea300ea04661f9934ddf279750a1098a97335118e7928d48d3a73b11e11aeb9d2580fa08448820c56785afa615970d5851fab666883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
368B

MD5
15bc775f8b4cffd0ad1ce0e170d362b5

SHA1
39705000f9846dd8180965d265c3ab27d17639cb

SHA256
4b272901d5487f5f820a4a83e2581a68935d0e468473599fbcfeb64f73be6608

SHA512
bc4f67a7841cb78e376a9d9e86f3252c924f5796ad984e3491001140594adc36af43f9f5f06a7231c9f13877435f7d1fcbda1cfeedd0df796fb20b3886fae885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
d2438801024c7d29ba5a18a5dfa3362d

SHA1
39ec5f7727de73f8f4ffefaea4de563c85a65e6d

SHA256
99ffd7d973f7eda508f4117f04a67ae08773dd9edfea7778f26b440563cf64b1

SHA512
b485c9f742894dbcd94c863f5df192ca66426c941c694d866781d5b4612b4aceecdcbd1810fcb0908f977a247d8cd4f574617dba68d71431d8e1189bb82f23b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c1db80e0-658e-49f2-b92d-c630e30b7366.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
1.4MB

MD5
62e2d22717fd43973023dc3d57ca0b9f

SHA1
1ac28e0d8eaf55e7940309d06ee91ecd8e887346

SHA256
6c1c2800cb41860cbd29ac136671dc2c043f51b3df819abbf5c200700c14806e

SHA512
b834fe0962a8fefd5e0f62f75ed6fe032f17539b67085688d7a98d009afa27095c92a10b56bbb86da62d91a37ac70b0d5c71cde20c1063e0ffdd6ba0bd5c03dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
19B

MD5
0407b455f23e3655661ba46a574cfca4

SHA1
855cb7cc8eac30458b4207614d046cb09ee3a591

SHA256
ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7

SHA512
3020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
2c68a3ace080ac4ade3ad0bba979feee

SHA1
0410643756161f7802e671b1fdaa16f63848359b

SHA256
77d6393c21635256d740dd177075e4b1e0542c9e38ca941eb496e1817469d5a7

SHA512
523f1f92b4710bfe04fcf700201d2fafdc00eb34acb998c89d5c1a76526c9e5d641ad5211175dbf934ad83dc3f2be37316f9112039c04351b711f004344401e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
ca9c692848c9a67f8dc41bd366479b86

SHA1
f1607e5e1a68dec2b845d78e2f28dccaf34f7d2d

SHA256
d595ade75f45f5543bd907e3a494913b482c1acce1b8b6ceb3c81e6111f2abae

SHA512
05bfb54310cb488201b23ef897d43f6925c099ffd49e1e4cb3b2670fd788859a79b6630aa3131d59890f449bfff1cea0f161652e72841e38e4a4dc1681500f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
967b795bd13b972d49d293f133bb314f

SHA1
cd592bc89245ff503243fd45e28f9c266d9317a2

SHA256
9c6f2a4e729a58159e36ef00af0d948f2191ec7cad77f509b297cea78f33b0bc

SHA512
b9fa59c7aac9744cbb86e284c4b0e88a4fc6d15f761dc9a7b7bd5a588aa663eec3b8e56d0ae6365aa9e7c5b34b994fa7a444f89c642889891c8823ec5b8694a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
93a98c9ba41fa83932e1b19f024d1133

SHA1
1ad7bbd2d6dbf5297c5d738bb3b9f86ca3382df3

SHA256
0e4334c459701fd24e42c8578ae09eac4d3baf96b58b8a902d69d8a9a9aa4f1f

SHA512
d5efef3b725a5bf9f586a35b88adde286d17fdb3a1fe2796781565f864ec160d54def1f0d2f099397eca5638233f75e210a67dea6e2883568e337b28e4da76f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
85efb4c2375bf5ef35d2d6cc6d0040b8

SHA1
3425d2cb1a3b85e492e15937d2cdeb3a5bf51c6b

SHA256
147d646b17412322dc474c548cede7f47a4245ede6eeaa1ee9dcb99fb59dd7aa

SHA512
be55d4da6c67b2acf8f45bceb5c4abef12da2ed50b4a39e81417092019354bcfc75e72b68b983caa98f3cd61e61a80a12693384a70aa6b53d2aa76d7cb744d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
04a1cf27c9ea5ea96ddb5fc47add4ef5

SHA1
7494e1e0b6f1cd6b504ca888e1425efce665b3c5

SHA256
d3e96888ba33922bbb7ba953cf10a336ec9a992a33e57d4ea9d726572967c2b5

SHA512
07fd75f1b66546600845f500141c5a5dc6f72e1a609e01c8688d7adc87324f568798c8913862598823113ef2d75a646b3467ea10b61ed1bdf79451df0af2d836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
5cddb3f46d1c2436de3f54b050bdc5a2

SHA1
e9268a5c30c24d327bd1e71c6ccaecb3c24766c7

SHA256
079ca4359f2765c3bc02cbf0f74fae119ffeadfc0152283c730b68fad5bb3583

SHA512
118ed0bf063eeb90df97264393aeaab889b2c557b87bb17e073294f56165ca75d4cceadf41c7e37ace04fa1ad66a7e4bf09f1ed9d98df62767848a8213f3da55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
0fb7f14f81f000595c4e52a005472ba3

SHA1
7bfa5a79878b2ee83812806c6217de79b537c047

SHA256
758f24448939cb78eb04b6f274f7fa79cd9adbeef58c255d816ef3ca328bc1b7

SHA512
5dacabbd4ce94bd5763a4270f77194d8b20f7b567d95c8567e749dc2a7fd00fff6e1f32460d7b86d0321c48594540bc6ee1ce37e976e8d2e0b11d26a5d63b1e5

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshED27.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshED27.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshED27.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshED27.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshED27.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshED27.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 359063.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
memory/2972-13042-0x0000000000D70000-0x0000000001222000-memory.dmp

Filesize
4.7MB

Download
memory/19544-13077-0x00007FFE2A4F0000-0x00007FFE2A4F1000-memory.dmp

Filesize
4KB

Download
memory/19544-13078-0x00007FFE2C0A0000-0x00007FFE2C0A1000-memory.dmp

Filesize
4KB

Download
memory/19948-13193-0x0000027B96550000-0x0000027B965FF000-memory.dmp

Filesize
700KB

Download
memory/21548-13190-0x000002E947620000-0x000002E94767D000-memory.dmp

Filesize
372KB

Download
memory/21612-13185-0x000000006E340000-0x000000006F680000-memory.dmp

Filesize
19.2MB

Download