hxxps://steamtools[.]net/res/SteamtoolsSetup[.]exe

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-11-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamtools.net/res/SteamtoolsSetup.exe

Score

8^/10

steam defense_evasion discovery phishing

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1520	SteamtoolsSetup.exe
1816	SteamSetup.exe

Loads dropped DLL 3 IoCs

pid	Process
1816	SteamSetup.exe
1816	SteamSetup.exe
1816	SteamSetup.exe

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SteamtoolsSetup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133765197695990689"	chrome.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 137034.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SteamtoolsSetup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 238832.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
5284	msedge.exe
5284	msedge.exe
5312	msedge.exe
5312	msedge.exe
5812	identity_helper.exe
5812	identity_helper.exe
5800	msedge.exe
5800	msedge.exe
6120	chrome.exe
6120	chrome.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe
Token: SeShutdownPrivilege	6120	chrome.exe
Token: SeCreatePagefilePrivilege	6120	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
6120	chrome.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1816	SteamSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5284 wrote to memory of 2580	5284	msedge.exe	77
PID 5284 wrote to memory of 2580	5284	msedge.exe	77
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 3372	5284	msedge.exe	78
PID 5284 wrote to memory of 4868	5284	msedge.exe	79
PID 5284 wrote to memory of 4868	5284	msedge.exe	79
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80
PID 5284 wrote to memory of 2724	5284	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://steamtools.net/res/SteamtoolsSetup.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc69d23cb8,0x7ffc69d23cc8,0x7ffc69d23cd8
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5800
- C:\Users\Admin\Downloads\SteamtoolsSetup.exe
  "C:\Users\Admin\Downloads\SteamtoolsSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2508 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,12769180786496764175,9250526001554450094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3628
- C:\Users\Admin\Downloads\SteamSetup.exe
  "C:\Users\Admin\Downloads\SteamSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc56fecc40,0x7ffc56fecc4c,0x7ffc56fecc58
  2⤵
  PID:6104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,3257026478767881455,13657887769629886034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1760,i,3257026478767881455,13657887769629886034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:3
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,3257026478767881455,13657887769629886034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,3257026478767881455,13657887769629886034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3324,i,3257026478767881455,13657887769629886034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4384,i,3257026478767881455,13657887769629886034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4660,i,3257026478767881455,13657887769629886034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4256 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4420,i,3257026478767881455,13657887769629886034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3408,i,3257026478767881455,13657887769629886034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:5492

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a7b6b676a7bff7d8f5c56920623516c5

SHA1
651fdc5cd59d508a7ea40a4e98ff37b9c3f7a515

SHA256
108ee63b6cc85cbe322550dafc4c5ac61a57e57e1fa0c16219b743bd49ff04ed

SHA512
09287abb61b3eb39affa87419b2cb321d673ae264b67214e73da1478ad5b0a9e0bb511c582d88fca5c5654dc0a1aecaf11c8f3656c1c71cbfa073fd7ac343898

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
cf067c3efb037190cabf8cb08b4892be

SHA1
863a275afd4ad0a2e509e78d9106b148383aeb21

SHA256
5f470151d722ad0f14de3b1aaed69872fcfc04db7c1b88d4e4af70974baf7e47

SHA512
96e622049cf2d20f06496b7c2f02af735020a43fdb5f1bf21b5fd550f7ece8845994e8c0d2c8977f4638fa4ae68eb05ebcef507a49d08d4ecbb1782f545db588

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4d8a39d5e34e10ab92bde3210583baba

SHA1
9468d0683d0d83f7ec97276c039e9776c51a06e2

SHA256
a7317c29e5d91ca16f878add4262827e8979961b63e21fa7a66d118572f793f8

SHA512
29684c37a1a5fd261585802c77015623d3571f80645b7e03dede2b851f410edf43ce7da9c70b742ec2b441f856cad72fad54a4018db9c699fd9bb78f09b3b849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f9d9b5095bfd5e48b5441421c3380e80

SHA1
1bf287013ad074f598957f272f5c181a2ba07f03

SHA256
594adeb3358a603a0f4414ccb9e1766a5655482c79933512c21e52a0ead8a4da

SHA512
be5c6b7d83f561bc1614338cbc83da79d712f618920737883b46f7950dc955d086efece34ccc7a2be9a473f25e8cdda738e4ce4e2cb787e62f4981e30654ae9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
00847326bf42cb14ae570459da469fd6

SHA1
54736c50610b08f0254f0a6b819e763e4496287d

SHA256
f42f39564a86c19265f1e51f69b1a9868d7e264e1eaa23a2600f9065b5811d15

SHA512
cef06990b795c1b8f370525b31b7c625cdea5c1dce14f3272408efc4b3391aca6c47fbfae7165652e1cef55b9882041dfc9ece0463a1aac6cb570334e8831d77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d7d6e886fe9f4ef577b015ed3d7f885a

SHA1
6822840fcb63729d8e3094a64f15e089cef3fb9f

SHA256
c2f0b1aa82dfe8f1f3ac5dab8c11f3e5c363e7eec6b5695b61fb989ba2d62e15

SHA512
676329d77ddbf2f7c0eb76cabe92c9407a262f9c624b729b62eddaefceec9fa140d51070ad85630203b9d642bea7fc47c9314c4022387b9c1442aa98f32f48af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b8a80d2f4a36ff4278b4debbb94926f0

SHA1
5f04145f5af7b229c9f144d8cd78739b0b5c02ec

SHA256
4b4fb56cb415c8a538cc9ba286f2ba161eb03a60deea26a408311b898bf78de3

SHA512
339ed32928f8e959d56b54f9da19e70f52226f09e45b1063a8e8413581c58c944b853cb4ea95e6db3cf1b0b04b5bdb7dcf49fa33b1f0c0223ea89c97fdd4b34f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f6e929d38d3e5ce74e8ca5d422aa529e

SHA1
dc3d47fcfd106b0b894e4510d88c264fd56bf1f8

SHA256
fbb4e5217454d43711c1a856d2f1a4b9a7bedb25a2829db198bfdb970fece264

SHA512
e8be4fdc5acc6f35a93bc51bbc947bb5a38ad663c2d3e7b2677863630c1a2aa29e16b61e2a477cb02e7daa4be7888903c3a32ba139100fad7618ea7b4775d8ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df001b13ad68cc7539324212ddfb2ca6

SHA1
9859f4a55aa97f427ebcefa585abd7184bc49528

SHA256
fde5ca25608a4c696dde15276c7c4861bc8a2da4fe220e03efa4f419674d5ea1

SHA512
dbf61c6f69ab18de633c453e10519b2b9c49ffbefc39ac552acc9637ed879183c47a193851da25a0e03bb1c5247982257a2dc9bcb30f91c4d07f791a62c6a4f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
adfd64200a90e582bb85641b82507470

SHA1
d0d68daf262b0223db17f2b8ebb19b0d075bd092

SHA256
06d33a73d5cc9f08d4ff59f8719dc3afc0e3136bda34f8fd9cfeb7c78c9d1cbf

SHA512
95f6a20514fe6da5926e3983928b6ad7b4a1bc10a0c28645f70f3cb1008e35d1b48d13ec04ac04dc6a44561b3938071c697c2596f3c6a472b5567bea24068732

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\dd463153-a79b-4474-8101-0941f18482b3.tmp

Filesize
15KB

MD5
0bdb0fd5ab414879105b0cda8c42ce09

SHA1
d357c746f781eb531c0fef4f89027cfabaac9252

SHA256
30416140ee9331172095e06deac6e638c272378c71d814732911b77f3efba2a9

SHA512
b7172dca5a5603f5a11292aeb48b43af45ef727030d320d009472163355c3a5c33605b334c804ae85b8dd6aea8c9963ab2ac3aad9572dc68d4490a173feb6e00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
c55fa95c1a6211e1754ebe86d8e5dcc2

SHA1
dde23743fcb53ecab7941b75cc09030676892df0

SHA256
d0b88ac89d690af1376f8561b358c6a789a5bd17b99e05a98fe8925ac349a00e

SHA512
68e6812146a8b146a9e867c1a5ff40e2a78c30f18f7edca0945e03f4afdc4c29a9d3f7dfd16888a84a140251d4644bd5add8de6564ffb254225482365d01555a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ec86427a-8419-407c-b906-67a5cbe55784.tmp

Filesize
233KB

MD5
791449b743b3f609c4e32b70d20714b3

SHA1
f2667d9b708b1acab7cd6cb971bc73efc54ba1ee

SHA256
a2d16629b298a895ca5975b79682bbfb0e1ad60e73a390013a805504a8ad388a

SHA512
5037a34c301c3a93fc5cb548a0d12db1a130cba012e42fd57b0acdce25e395e08e1bc37f6216b88a99e3a5f9fa1d239cde4cca9238b63a638f2f6a94f6e0ebcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2d907516ef5080fe05939fb85d5cd290

SHA1
fd3e480d19680f6db46b3532a4aa4b54b02e2d0d

SHA256
0d4476c0ab6ff4cf2c9cc0ab6df16847777f09fa172d7810c7d8c3da53ab402e

SHA512
43f488dbd133476deab9be95380fa656c3afc43ae14e404424cc7342043252224a3306c887b32d0009064cd707763e19c212dd50bfc9cba9919538389bd7314d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
182B

MD5
81e004822c5e9a4eac8801aa1ba0b209

SHA1
ce2106f745a1962c871225f2c8399e37244fbb31

SHA256
b8212daa7e07010c37c1a9ff5581f679131eefbbddfa60667f5085be4ed5c647

SHA512
f63091109b36201d1e2a1bef70aef769d2ddba100c21a0c9d51ebe1eb65c08958a0f2793e637c112c4c4ba6cab949929c98ae3fa650e0e5c3c727cae18e6f750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5b141e040158e69bc4b081241c1a47f9

SHA1
3fc0fa2c9d7b2ce8fca1cf3c618934f2d6ca9d25

SHA256
7c751e9b9c7874e58f472aa43730d357c0b7dbc2e90d5d9929c9c5fa201c8924

SHA512
ebce6605157be6b296b1004961afeef207949ffc373bbe95fb35d0ddbc53d86d0ee7abf7fc46567fe3decdd9837309ac9692629106a42d8684cf4f7d0f1cf6a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ef79c2c271daf379fc2f1e79aa882308

SHA1
013a38dd8db5c505795d119b7bd8559a99e7d2de

SHA256
b88aabf13e5fa9db514dda281748e0ce54c20c79efa401d25bafe8c896e9591f

SHA512
a415c9e1eca8c95fb9adb1a0ccb6583678d8481b426f51f31ec7a096507f3b8b5dba4f9264cf86a8ac8e7f58b64cf6eec2cc2eaa06ae929dadcdb59e076206d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cf3dd84c3c0afd93bbaabbec66c60feb

SHA1
c74fdc72be933d5673b4a0173a699dccb884deff

SHA256
498be59555a22fb67cd1b66a121ded857fecbd215213e81d18e11de986515cb2

SHA512
a36cf2dbfc396dfe9cc80df79b895d127cc1eb209ddb773088c4046bd8c86287c21d14f0ed3f6cd62ca9c5cbaba14a64cebd97afe00a8d8a57e20f5c1ae5c5ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2ca0b161496b644a7852b4515f90aa0c

SHA1
5e711fc8c8ed561133e90dd5ce9de5d021128e36

SHA256
34c2f6ec2f5792f55d11c03a0f31dddfb396adc33b6ba1ca3ad820b111026b6b

SHA512
15d1a83c1a8f6ca80965d859935ec68c20224c19c1d3b48c0c258465367c0ffaab6fb2cac79ca81af621b7c2a7646e9020b1342cf397bf04f5dd27f40899f85c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
94ed950f9d25079de2e3e54ece103a95

SHA1
5372388c26021d7e6aa2c5558879dabe8f6fc6d8

SHA256
10e8446a698b5fb52f23ed00aab17221cce08e60d0124540c041715dfc4a8287

SHA512
f21b165134aa0ece85d2df8a613a4232c830ba8fff07dff6c60dc0cdf60ec42a8dafc88d7ad111be30f8cb89a8cbe03778782fee14dfd035df9d7f4ff5ebbab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591786.TMP

Filesize
204B

MD5
67cb76df57acea6e3367b205ff0ff5d2

SHA1
8d1e56c00ab626a4b794eb675e03018004f6d961

SHA256
4837749a075610962d4a069a93b735e804ce980feaf7ad856421efb8286086c5

SHA512
94d7738c1d405ab570896ff0db87e527245620c2e8d7a704baf1ae5923e0e55497d6069b02ee4c918ba7895d393491fc92a053afd3283313475d06ac1da52503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\eb2788c0-3596-4f1d-bafd-c6a419b9945e.tmp

Filesize
5KB

MD5
bf308cd71c8fd2de085020d3f6ffedd1

SHA1
23ab191c89ccfcadf7e78b75fd242c87a141015a

SHA256
d6ecf09408e8207a4520f873558515be5eb7893ddcb5f42d80aaa206e9da59ae

SHA512
3bac177364f6eb31f78ab01d8fc9e2ef2cc78ab4504e9f12d7331ff7e8d57e7cc6f4e1b497b6948474a5fbdae8132e31d29be345262e9abbb07963d405797a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
59378d0957bfb42ae0da69aeeafd1547

SHA1
8c40ba9fcd49dd7630fff943a2c155a1ece5fb1e

SHA256
12723cf389f7e71f09bb7b952bb0bdc6d1c10f6128c8ad49acbeda6e26d32314

SHA512
870c88e7fac1200080a216ca4cacada2e80bde4d2a4e1bb7caecc2b11759f39717ec9909154890e446f5a8b9e9a411462aef638292943ebad69d1cfb6142943a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e868a5c80773388803f675cac9a3d580

SHA1
ef8606a52853e473a0437467d13c095169210689

SHA256
cb79499df9718ea4ee024ed58ec359115d0911e26ff03b6c5d7b38d5f16ac3dc

SHA512
2e1c20f4a68cc2fbd9b135a0ae6f68aed14b9ade18ed7ad2934f2174c5799a385d7601893de0ec511aaacd6b836c996e8abb41b6522058960468b9cc9bcae1ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d002645676941a1f1c57559f6ede7836

SHA1
a2284e5a0a47a060cbd9fa92f9b5bfd5db544c8c

SHA256
9722097bc805e0ab346807395232e35075d004747d8afb37b7ff7db6dac93d97

SHA512
22ed9d2377373020a9027a3fcdd4843a6cdfff71d8cfda843d50b1b5981d9972b405ddbf1aef61b1d71546a0c0dc5a9be7fb3417581f1ab3dc51e847b32da03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb85A3.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb85A3.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\Downloads\SteamtoolsSetup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 137034.crdownload

Filesize
978KB

MD5
bbf15e65d4e3c3580fc54adf1be95201

SHA1
79091be8f7f7a6e66669b6a38e494cf7a62b5117

SHA256
c9f2e2abb046ff2535537182edf9a9b748aa10a22e98a1d8c948d874f4ffb304

SHA512
9bb261b4ed84af846e07ffb6352960687e59428fd497faa0a37d70b57a1a7430d48ac350fbb0c3f0f11e4231a98ebca4d6923deba0949fdd7a247a3c02737355

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 238832.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit