xred | hxxps://gofile[.]io/d/kQoB54

Resubmissions

18-12-2024 12:18

241218-pgqceazlfn 7

18-12-2024 12:17

18-12-2024 12:16

18-12-2024 12:14

18-12-2024 12:09

Analysis

max time kernel
259s
max time network
245s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/kQoB54

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Steam Checker By Scorpio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Steam API Cracker Coded by MR.ViPER - v3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Microsoft Windows Protocol Services Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Steam Accounts Checker By X-SLAYER.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk	Steam API Cracker Coded by MR.ViPER - v3.0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk	Steam Accounts Checker By X-SLAYER.exe

Executes dropped EXE 11 IoCs

pid	Process
1776	Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
872	Synaptics.exe
3508	._cache_Synaptics.exe
3532	Steam API Cracker Coded by MR.ViPER - v3.0.exe
3004	Microsoft Windows Protocol Services Host.exe
680	SteamApi.exe
596	Microsoft Windows Protocol Monitor.exe
4256	Steam Accounts Checker By X-SLAYER.exe
4212	Microsoft Windows Protocol Services Host.exe
4016	sysAcc.exe

Loads dropped DLL 17 IoCs

pid	Process
1776	Steam Checker By Scorpio.exe
1776	Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
872	Synaptics.exe
872	Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
4016	sysAcc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Steam Checker By Scorpio.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Virus Total\desktop.ini	7zG.exe
File opened for modification	C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Virus Total\desktop.ini	7zG.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Host del servicio Monitor.exe	Steam Accounts Checker By X-SLAYER.exe
File opened for modification	C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Host del servicio Monitor.exe	Steam Accounts Checker By X-SLAYER.exe
File created	C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Monitor.exe	Steam API Cracker Coded by MR.ViPER - v3.0.exe
File opened for modification	C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Monitor.exe	Steam API Cracker Coded by MR.ViPER - v3.0.exe
File created	C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Services Host.exe	Steam API Cracker Coded by MR.ViPER - v3.0.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
596	3508	WerFault.exe	136
3188	3508	WerFault.exe	136
1428	1400	WerFault.exe	134
3964	1400	WerFault.exe	134

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft Windows Protocol Monitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam Accounts Checker By X-SLAYER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam Checker By Scorpio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Steam Checker By Scorpio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam API Cracker Coded by MR.ViPER - v3.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamApi.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Documents"	SteamApi.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "11"	SteamApi.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	SteamApi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	SteamApi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 7a003100000000006b50f47b1000524553554c547e340000620009000400efbe92594061925940612e000000893c020000000700000000000000000000000000000089b31c0052006500730075006c0074002000310031002d00300033002d00320030002000310039002d00300031002d0033003900000018000000	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	SteamApi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = ffffffff	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Documents"	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	SteamApi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = ffffffff	SteamApi.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	SteamApi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	SteamApi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 56003100000000008f5002191000526573756c747300400009000400efbe92594061925940612e0000007d3c0200000007000000000000000000000000000000cdfd150152006500730075006c0074007300000016000000	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	SteamApi.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	SteamApi.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	SteamApi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Steam Checker By Scorpio.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	SteamApi.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	SteamApi.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	SteamApi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	SteamApi.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	SteamApi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	SteamApi.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
3884	EXCEL.EXE
3004	Microsoft Windows Protocol Services Host.exe
4212	Microsoft Windows Protocol Services Host.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
232	msedge.exe
232	msedge.exe
2432	msedge.exe
2432	msedge.exe
3980	identity_helper.exe
3980	identity_helper.exe
460	msedge.exe
460	msedge.exe
3964	msedge.exe
3964	msedge.exe
4820	msedge.exe
4820	msedge.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
1400	._cache_Steam Checker By Scorpio.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
680	SteamApi.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	1036	7zG.exe
Token: 35	1036	7zG.exe
Token: SeSecurityPrivilege	1036	7zG.exe
Token: SeSecurityPrivilege	1036	7zG.exe
Token: SeRestorePrivilege	4132	7zG.exe
Token: 35	4132	7zG.exe
Token: SeSecurityPrivilege	4132	7zG.exe
Token: SeSecurityPrivilege	4132	7zG.exe
Token: SeDebugPrivilege	3004	Microsoft Windows Protocol Services Host.exe
Token: SeDebugPrivilege	680	SteamApi.exe
Token: SeDebugPrivilege	596	Microsoft Windows Protocol Monitor.exe
Token: SeRestorePrivilege	3536	7zG.exe
Token: 35	3536	7zG.exe
Token: SeSecurityPrivilege	3536	7zG.exe
Token: SeSecurityPrivilege	3536	7zG.exe
Token: SeDebugPrivilege	4212	Microsoft Windows Protocol Services Host.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
1036	7zG.exe
4132	7zG.exe
3536	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1400	._cache_Steam Checker By Scorpio.exe
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3508	._cache_Synaptics.exe
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3508	._cache_Synaptics.exe
3508	._cache_Synaptics.exe
680	SteamApi.exe
4016	sysAcc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 4332	2432	msedge.exe	85
PID 2432 wrote to memory of 4332	2432	msedge.exe	85
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 1304	2432	msedge.exe	86
PID 2432 wrote to memory of 232	2432	msedge.exe	87
PID 2432 wrote to memory of 232	2432	msedge.exe	87
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88
PID 2432 wrote to memory of 1068	2432	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/kQoB54
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb77bc46f8,0x7ffb77bc4708,0x7ffb77bc4718
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,11770103748791438452,10376616085099056704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2140

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\" -ad -an -ai#7zMap28247:120:7zEvent9214
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1036

C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\Steam Checker By Scorpio.exe
"C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\Steam Checker By Scorpio.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1776
- C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\._cache_Steam Checker By Scorpio.exe
  "C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\._cache_Steam Checker By Scorpio.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1428
    3⤵
    - Program crash
    PID:1428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1448
    3⤵
    - Program crash
    PID:3964
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:872
- - C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\._cache_Synaptics.exe
    "C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 2596
      4⤵
      Program crash
      PID:596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 3280
      4⤵
      Program crash
      PID:3188

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3508 -ip 3508
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3508 -ip 3508
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1400 -ip 1400
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1400 -ip 1400
1⤵
PID:992

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\" -ad -an -ai#7zMap18470:112:7zEvent20776
1⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4132

C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Steam API Cracker Coded by MR.ViPER - v3.0.exe
"C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Steam API Cracker Coded by MR.ViPER - v3.0.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3532
- C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Services Host.exe
  "C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Services Host.exe" {Arguments If Needed}
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- - C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Monitor.exe
    "C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Monitor.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:596
- C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Data\SteamApi.exe
  "C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Data\SteamApi.exe" {Arguments If Needed}
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:680

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21512:112:7zEvent4628
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3536

C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Steam Accounts Checker By X-SLAYER.exe
"C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Steam Accounts Checker By X-SLAYER.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4256
- C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Services Host.exe
  "C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Services Host.exe" {Arguments If Needed}
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:4212
- C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Data\sysAcc.exe
  "C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Data\sysAcc.exe" {Arguments If Needed}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
ca096480543c289e9ba6666970e87238

SHA1
16b76ba44875589798fed55538715bf99a5eda9a

SHA256
bf5b60bc855ac8aaa4591083360b77ad139e95d6d91bee14664036c3d0a75f8d

SHA512
53dd1445215531c1c3c6ccf3204b576c7c15a9a29f73bc08c0793a4a66b55a802dd4953eb67ce62d469286c4394d28e0a36a750be41707238a33dfd054cc3962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
547B

MD5
eff9ee1a4a81161aa994ecf341bf16c7

SHA1
c9cf81b8ce40b69fc4a9174a916e89587b3ecddc

SHA256
d0a9fb172fb0d5ef21a24af2017c3daada14f8607663f689d353e77ac8f4c592

SHA512
8424250514d7e28dfef8faa1c5a50f51f00d1d0b64c28c140ab6243840aa60e9129e6c713fc58e654acd30e538e0904ae6dc2ab7434266b7278dc86c24c19f09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ce5691ac27264bbd490b45014f186300

SHA1
17ae869bddf5f1bcb081b990a497a94128846d7e

SHA256
135b0c939557e5e19a959011d0d92ca28d0563ed51b41dd1a8ea95e32c9c2de4

SHA512
a374b5ddb7a7fbcec460be989757b5aed3206c1c1c079854a8b5da78d919a6371b8953b09ff6afbf22b75b7eb5a833e5160de352a56d40575a0170c9ffdfa09a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b8a8c6a637a4771a0368f49e90a63e7f

SHA1
fed17b7ada3946262a380e2f1e6c13909039c760

SHA256
96f4f3205facbc7065061fc2571d318bb449a13a93845940581b5b407c2dd565

SHA512
9be4c19da2469977cded20bd4ce7d5c76e81256a59345d298cf9afabf9d36c89b4bc3fa7720a7512d439c371ab3843aac6c0a6fbe47a62900e5c935af638e584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b8345643f22ccff74673300dd36f2f38

SHA1
c42b5f1ef54f4ba9437e0ccced836f3a7b938459

SHA256
b855effa1c801717e1911e92fe97ea48b17519c99eb2b15cf2561a3366655083

SHA512
7e546952c45efb54fce4326b1b831b345d38ebc74d86a93e1a97903482d7fd9ba2642b6b4659d2a260d9fbac40059053c03467004c0e7012d5a911a5929b950c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
11153a1fd0fb1d2212cd86d5df6cc66b

SHA1
1dc13c5263a4c5ac695284adb09dbf88cf505225

SHA256
287eefe29af2705a5795c6c52db4ecbe3cea6080fae3533f622ef095bbf3715b

SHA512
0512ec31ac6e791a6d540b6b936c7201bfe5d61d2f556a5968bcd91b9e282d35a70a17717713f072ec34158937080dd3429e109ffcd94b7293ec3df61ceb7687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
800e38e9f8b5661e071214e483bc39c0

SHA1
fbf7e099ae846eac183971f4082d5bc87aa01f1b

SHA256
40171eaeddba57c532fafb78c9d5186879618f5b01449983a5b48fdbbefddc76

SHA512
47eb291862fbca133548c852fa172ad6e6020e981f90cedbd92fd18e23a19be4602ff9d953ba4338cd602c4c935911a05d4631f8b620177f65154abc260f604c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
104568128579141c85d15ed4718e81f4

SHA1
7661764638fa823e84ab59d074e3b87bfddd71b9

SHA256
c1f436d31dd4e4317843bbaf536d566e69765d639b9b480b365196941b606224

SHA512
e56c90b7da6b2bba4ac8927cc4ce4004ee0601d6450a01fd58553b95bf26aaff71eff1914440da4c8b8ec56d3f20265d3ff5c53d1b47f5a06384e0fdd83d1c6b

Download Submit
C:\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.5.0.0\x86\ssapihook.dll

Filesize
57KB

MD5
9e7f44b8f1512476aa896e977c58830b

SHA1
eddd878d9e16502ee1eb7f583dd04e01b458ba42

SHA256
8e6195b50bb0d22e4d346263f708f166db726c84884fe78a6bb477caed19e708

SHA512
ea52b71dc58e081d0e6c1336e7bf8422d7240c8a502c790075c6ebfe88f8ff70cd2bf43d34b8c604c08d867202359f8bd35c3a0b8d2eefefe826ccd2e5c8c802

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D285E00

Filesize
23KB

MD5
9c2934056e1b1dc4932535a86be8671b

SHA1
49a2395a512988afc755c178b08229bb77fa1c7a

SHA256
fa50f2169bf507c7ab028e3c774fd5160b25580f080834e1b4ca405d27cbe570

SHA512
b3a127c525ebdddf8caff087186de800ed54c5a9d20fd01c36d6ab0602ec86b8e5cc19a0080f58cda510451f39f06bf0dc6f68fe4bb71dd241b3008004b91e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\FfOrVqHf.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER.rar

Filesize
1.8MB

MD5
659ccac29a8ef6a918146e1585ed4288

SHA1
a06ebb0d13ea282bcc75b7bc8696cedc0a242696

SHA256
47715294a4a85e5308a26b046bc13768f3e300911875ad92b8506aa154ef1a61

SHA512
bb466106d7485dba2fb193186a771cfcbe85d2b6d1ec7a70040c8b4d4238b9ba7d101ca3aa6d294fd1f399b3596ce70902c72bd4407b1b7f0447b8166bbfc695

Download Submit
C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Data\Microsoft Windows Protocol Monitor.exe

Filesize
9KB

MD5
61fce223872024b0ecb0bb2a7ffb7c47

SHA1
f893d620f9d843c8bdb86a0375f856508a6ce136

SHA256
4b5069b9708a8e97b17af6aa96cf2112877a675b4dbc1f6dbc2601b494b35d11

SHA512
8926a5f7d6aa862351044d79a634decda989b50ad422ba3e9a97c573ff618a8314607a7afe093925f56d87861eefb31d3820d9e02b1cf2847c0e6072880ac192

Download Submit
C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Data\Microsoft Windows Protocol Services Host.exe

Filesize
9KB

MD5
b90f7cd95e2f8ffcf180a4c96be66014

SHA1
4fd7eeb26b6eb7227262d0d8cf6fac947a9ff231

SHA256
38a61d517c08fe4da2798c9a42d5bde4bbadf3758cf70638709a3eef5079e8e1

SHA512
e83d9d8971a2374d5694fd8a45814f1307f891b8dfb2bdda80911948b762bcedc9de236462caf88e3398c3287a00f08db9274f5739a1f9259ef8de0aea018795

Download Submit
C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Data\SteamApi.exe

Filesize
1.1MB

MD5
428b193b299abf00ffb17a13e3485ca3

SHA1
d22e03b1abaff0e862bb371afade0a9103364e03

SHA256
07a95c611eeca43f18c36211ba9a710d5dbb59f4339ed1faac1523f31107a092

SHA512
42b007ff51052c5b643760fb8490bfe717fe9ee146be5b301db0df8dfa65ac61bfd1829445e0b0237150db003db1f5eb5e82fe3e47b26c5b337ae36d5a61de33

Download Submit
C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Steam API Cracker Coded by MR.ViPER - v3.0.exe

Filesize
13KB

MD5
0bda6a46010a4798858b725d4fad4394

SHA1
056e416d1802f0b2a7618caaba58439dbc10ff5c

SHA256
b90901e5f167d0631bf924e4d616881c91a0f2cc3c6f498f4f0f896a6ffb46f9

SHA512
1bd6951193166cc661a0742c9b1c6a03c5f25a20d8185e2b307565822a06d01caf3efa8335d3b7f6ffc4bf3c9c02a22f46d42635f0a0c49279690d375d67c6e0

Download Submit
C:\Users\Admin\Downloads\Steam Checker by X-SLAYER.rar

Filesize
1.5MB

MD5
df2aa099aaaf245e1125c949431ce534

SHA1
7fff72baa77272e1e314802cca2009c3c2d38936

SHA256
e539ac53241fd8d1d1d80e4b9b97f19cd7bf6fbe9b77fd24da09717c634d3677

SHA512
7de65faf0bd0ae75535d7061910d8dbfedf947d9a374baab6ff7f4643b1d4a64ec5a26d6f534cd79808e33e9025bb61cd79c3cbfb3d0d0b007289958173eea4c

Download Submit
C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Data\SkinSoft.VisualStyler.dll

Filesize
964KB

MD5
2d84a619d4bd339f860cb48af0c9b6c8

SHA1
05e520126ee1100c98263bfbd5a6ff0ce6ace4f7

SHA256
365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1

SHA512
bd0c5e8b018ae393a5f2b92b4a10b5b674ca466074d18b4f86b12cbe9a6a520a95323146cb8e5226b1698f14efcc63addf0df421677b7f5ba3c8d94dbcb511d0

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio.rar

Filesize
2.5MB

MD5
54e9a24fb3a19ddb0cde9bdad524d8cf

SHA1
bd17493ce33aacb976881be496bd4b394cb239c5

SHA256
387b084b873eca8ed5eaa5e47e5e37fb2535dee764feb85b58b0e9b616dc7b09

SHA512
7200386f8a970d5edc218500c32026f4943833029e5cdd73e2b051ef8c169908a1602dc3ab73e5defd89a9fe6306bac3c4a2bff4fe0f0bdb2e6fe4859568fbd7

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\._cache_Steam Checker By Scorpio.exe

Filesize
1.7MB

MD5
4ef4d48dec1058e81817e236c78df04a

SHA1
9bd81c4eccf3795a49f5cf6fee063b5371788d1d

SHA256
2e26221cdc9d70eb6ddc9f3651bfb6b2fad4e705015ffdbfae231173e7a4d713

SHA512
6ebf6328abde40ae3007e8041dfd1b606fb314417857f2b6fe8da294703958ad5e978b11f090b2ae5cc7096e79e3a2505e9c8fc6f2466826a3d1152036d7d8f1

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\Bunifu_UI_v15232.dll

Filesize
663KB

MD5
7d723a8eb4d7e494ea488c13510b97b6

SHA1
07f07c10e0661fa5f272a61ce69ed95c1cb251b8

SHA256
b695ac865a5df23e45ff991bf26b71e4f879c89a1a6fde0ba92f31904beaca5c

SHA512
5ff49cc06df33b65c2bfbf37d89fa6ae2b71e26046bd7cf96a374ceb840ec7d3e11761f94b0f67b9ae38e4fcb1fe836c09a0b227e4a478f775a7511eda9d133c

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\Read Me.txt

Filesize
57B

MD5
1e80dae17e853553dcea4d2adb148769

SHA1
4ea2fa05a7f3c70970ec0d00a2cf60153fa53a4c

SHA256
8c0875230789b9dc131a5898c73aa91c97538748e2c44665cc928b64e5114d23

SHA512
7cdac7712c5df56ed023bc0f3ce130d811ce89a32cc42cb5da804e6c60fb7ed0824855379821bb9f6ef2203f37e59dc30f2b39e6bade21694b9d9cebe11a1b81

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\SkinSoft.VisualStyler.dll

Filesize
1.0MB

MD5
69e6563e0e7ea843e9b37d58819f4136

SHA1
4aebf9955ba0d0b5205b6b013da634aa0281a25d

SHA256
f9fa9f508b9350ed12ed3aa5b7f24aed901a6434b1b02d1f0ee301b8eea54b06

SHA512
c883bcb3f6f2ac3f2fe88eed1356178ff2b43bdeed2188aa06f35cbc9dda8745a3a5c2d28d99daae5b6ea9af46abcae45b7bd4da13f318ba31062a8e8b79a942

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\Steam Checker By Scorpio.exe

Filesize
2.4MB

MD5
64e630606dcebfdf0ca89827767923b9

SHA1
576297c8d8389ae183eec599006f607e98115401

SHA256
443f2dae5074fa6e763e3f89cd727236826ff2c53e7540f2b4f1be84cce8e288

SHA512
f74747aaea6d031dbf313e6914a960105dffbff0664272d94dc8a750af5869537cadc6edba8b1e5f1661e69c9ce107652168ec23203baab682f0dc6d13d28455

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\xNet.dll

Filesize
116KB

MD5
3df8d87a482efad957d83819adb3020f

SHA1
f5b710581355ac5d0de7a36446b93533232144db

SHA256
2ac175b4d44245ee8e7aee9cc36df86925ef903d8516f20a2c51d84e35f23da4

SHA512
da28c34a85a6530b1c558fa11b0e71e70710d719cd8ceaf81f954d1fe3927ec139bee6c5f3135425cc5220905240f1a31d831611c46d18f5d52600b607ea59a6

Download Submit
memory/596-564-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/680-558-0x0000000000B00000-0x0000000000C2A000-memory.dmp

Filesize
1.2MB

Download
memory/680-571-0x0000000005980000-0x000000000599C000-memory.dmp

Filesize
112KB

Download
memory/872-583-0x0000000000400000-0x000000000066E000-memory.dmp

Filesize
2.4MB

Download
memory/872-485-0x0000000000400000-0x000000000066E000-memory.dmp

Filesize
2.4MB

Download
memory/1400-310-0x0000000005FF0000-0x0000000006594000-memory.dmp

Filesize
5.6MB

Download
memory/1400-376-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/1400-382-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1400-383-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1400-384-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1400-385-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1400-386-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1400-387-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1400-388-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1400-389-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1400-390-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1400-392-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1400-391-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1400-400-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1400-302-0x0000000000BA0000-0x0000000000D52000-memory.dmp

Filesize
1.7MB

Download
memory/1400-308-0x0000000005550000-0x000000000555E000-memory.dmp

Filesize
56KB

Download
memory/1400-309-0x00000000059A0000-0x0000000005A3C000-memory.dmp

Filesize
624KB

Download
memory/1400-311-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/1400-312-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download
memory/1400-317-0x0000000005C00000-0x0000000005C24000-memory.dmp

Filesize
144KB

Download
memory/1400-321-0x00000000068B0000-0x00000000069BE000-memory.dmp

Filesize
1.1MB

Download
memory/1400-380-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1400-379-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/1400-378-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1400-377-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1400-381-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1400-313-0x0000000005C30000-0x0000000005C86000-memory.dmp

Filesize
344KB

Download
memory/1776-305-0x0000000000400000-0x000000000066E000-memory.dmp

Filesize
2.4MB

Download
memory/3004-555-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/3532-533-0x0000000000830000-0x000000000083A000-memory.dmp

Filesize
40KB

Download
memory/3532-538-0x0000000006740000-0x00000000067B6000-memory.dmp

Filesize
472KB

Download
memory/3532-539-0x0000000006E20000-0x0000000006E3E000-memory.dmp

Filesize
120KB

Download
memory/3884-409-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/3884-408-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/3884-407-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/3884-410-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/3884-411-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/3884-416-0x00007FFB44180000-0x00007FFB44190000-memory.dmp

Filesize
64KB

Download
memory/3884-417-0x00007FFB44180000-0x00007FFB44190000-memory.dmp

Filesize
64KB

Download
memory/4016-625-0x000000001B3C0000-0x000000001B4B6000-memory.dmp

Filesize
984KB

Download
memory/4016-624-0x00000000005B0000-0x0000000000676000-memory.dmp

Filesize
792KB

Download
memory/4016-626-0x00000000027D0000-0x00000000027F4000-memory.dmp

Filesize
144KB

Download
memory/4016-627-0x000000001BD50000-0x000000001BE48000-memory.dmp

Filesize
992KB

Download
memory/4016-632-0x00007FFB05250000-0x00007FFB05251000-memory.dmp

Filesize
4KB

Download
memory/4016-633-0x00007FFB05240000-0x00007FFB05241000-memory.dmp

Filesize
4KB

Download
memory/4016-634-0x00007FFB041A0000-0x00007FFB041A1000-memory.dmp

Filesize
4KB

Download
memory/4016-635-0x00007FFB05260000-0x00007FFB05261000-memory.dmp

Filesize
4KB

Download
memory/4016-636-0x00007FFB05270000-0x00007FFB05271000-memory.dmp

Filesize
4KB

Download
memory/4016-637-0x00007FFB052E0000-0x00007FFB052E1000-memory.dmp

Filesize
4KB

Download
memory/4256-619-0x0000000000730000-0x0000000000762000-memory.dmp

Filesize
200KB

Download