2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

Analysis

max time kernel
996s
max time network
935s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-12-2024 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoClicker-3.0.exe
Size

844KB
MD5

7ecfc8cd7455dd9998f7dad88f2a8a9d
SHA1

1751d9389adb1e7187afa4938a3559e58739dce6
SHA256

2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512

cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
SSDEEP

12288:GaWzgMg7v3qnCiWErQohh0F49CJ8lnybQg9BFg9UmTRHlM:BaHMv6CGrjBnybQg+mmhG

Score

8^/10

steam defense_evasion discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
2260	SteamSetup (1).exe
4820	steamservice.exe
3288	steam.exe
13596	steam.exe
13648	steamwebhelper.exe
13724	steamwebhelper.exe
13808	steamwebhelper.exe
13940	steamwebhelper.exe
14224	gldriverquery64.exe
14320	steamwebhelper.exe
14452	steamwebhelper.exe
14736	gldriverquery.exe
14788	vulkandriverquery64.exe
14880	vulkandriverquery.exe

Loads dropped DLL 53 IoCs

pid	Process
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13648	steamwebhelper.exe
13648	steamwebhelper.exe
13648	steamwebhelper.exe
13648	steamwebhelper.exe
13724	steamwebhelper.exe
13724	steamwebhelper.exe
13724	steamwebhelper.exe
13808	steamwebhelper.exe
13808	steamwebhelper.exe
13596	steam.exe
13808	steamwebhelper.exe
13808	steamwebhelper.exe
13808	steamwebhelper.exe
13808	steamwebhelper.exe
13808	steamwebhelper.exe
13808	steamwebhelper.exe
13808	steamwebhelper.exe
13596	steam.exe
13940	steamwebhelper.exe
13940	steamwebhelper.exe
13940	steamwebhelper.exe
13596	steam.exe
14320	steamwebhelper.exe
14320	steamwebhelper.exe
14320	steamwebhelper.exe
14452	steamwebhelper.exe
14452	steamwebhelper.exe
14452	steamwebhelper.exe
14452	steamwebhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup (1).exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
7	raw.githubusercontent.com
46	raw.githubusercontent.com

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\btnOvrOffTop.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_050_menu_0130.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_110_social_0060.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_ltrackpad_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_dpad_down_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_banned_spanish.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0180.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\minithrobber12.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_rtrackpad_ring_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_button_b_lg-1.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_button_select_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_banned_greek.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\aboutdialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0327.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_040_act_0307.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\snapshot_blob.bin_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_dpad_up_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_lstick_touch_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_r2_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_color_button_a_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_lstick_down_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_ring_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tenfoot_images_all.zip.vz.193cb8c4eb4446698ea2c0a9e8c4e6b6a623dac7_5572671	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\steamui_koreana-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_banned_dutch.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\announcement_arrow.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\xbox_360_czech.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_r2_soft_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_touch_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\xbox_button_logo_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_ltrackpad_down_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0325.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_030_inv_0315.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_l2.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\broadcastapprovenotification.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\sounds\ui_steam_message_old_smooth.m4a_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_button_x_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_color_outlined_button_y_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\scrRight.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_gyro_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_ltrackpad.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_ltrackpad_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_button_share_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_banned_russian.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_moderatorstar.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\kn.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_button_view.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_r_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_button_x.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_lstick_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0425.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_down_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_color_button_x.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_r_click.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_l2_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\clientui\fonts\clientui.uifont_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_lstick_right_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox360_button_start_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_l_ring_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0343.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\steamui_postlogon_italian.txt_	steam.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	steamwebhelper.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SteamSetup (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker-3.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MS 0735.6+7421-safety.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\steam\Shell\Open	steamservice.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 444978.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 33714.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SteamSetup (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MS 0735.6+7421.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1920	chrome.exe
1920	chrome.exe
4520	msedge.exe
4520	msedge.exe
5876	msedge.exe
5876	msedge.exe
456	msedge.exe
456	msedge.exe
6052	identity_helper.exe
6052	identity_helper.exe
2320	msedge.exe
2320	msedge.exe
3508	msedge.exe
3508	msedge.exe
3392	msedge.exe
3392	msedge.exe
1452	msedge.exe
1452	msedge.exe
3716	identity_helper.exe
3716	identity_helper.exe
3288	msedge.exe
3288	msedge.exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
2260	SteamSetup (1).exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe
13596	steam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
13596	steam.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: 33	2164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2164	AUDIODG.EXE
Token: SeSecurityPrivilege	4820	steamservice.exe
Token: SeSecurityPrivilege	4820	steamservice.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe
Token: SeShutdownPrivilege	13648	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	13648	steamwebhelper.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
13648	steamwebhelper.exe
13648	steamwebhelper.exe
13648	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2260	SteamSetup (1).exe
4820	steamservice.exe
13596	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 5208	1920	chrome.exe	80
PID 1920 wrote to memory of 5208	1920	chrome.exe	80
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 660	1920	chrome.exe	81
PID 1920 wrote to memory of 404	1920	chrome.exe	82
PID 1920 wrote to memory of 404	1920	chrome.exe	82
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83
PID 1920 wrote to memory of 1188	1920	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.0.exe
"C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.0.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffaf31bcc40,0x7ffaf31bcc4c,0x7ffaf31bcc58
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,16729468442280424436,14815984017210527839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1776,i,16729468442280424436,14815984017210527839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2000 /prefetch:3
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,16729468442280424436,14815984017210527839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,16729468442280424436,14815984017210527839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,16729468442280424436,14815984017210527839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4424,i,16729468442280424436,14815984017210527839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:2700

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf2f93cb8,0x7ffaf2f93cc8,0x7ffaf2f93cd8
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2380 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6700122501184331390,17339165884181339679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:6116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\Temp1_MS 0735.6+7421.zip\MS 0735.6+7421-safety.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MS 0735.6+7421.zip\MS 0735.6+7421-safety.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1968

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf2f93cb8,0x7ffaf2f93cc8,0x7ffaf2f93cd8
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3288
- C:\Users\Admin\Downloads\SteamSetup (1).exe
  "C:\Users\Admin\Downloads\SteamSetup (1).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2260
- - C:\Program Files (x86)\Steam\bin\steamservice.exe
    "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,6328537934219483454,3591486356579041060,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4528 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3128

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3288
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:13596
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=13596" "-buildid=1733265492" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    PID:13648
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1733265492 --initial-client-data=0x298,0x29c,0x2a0,0x294,0x2a4,0x7ffadeabaf00,0x7ffadeabaf0c,0x7ffadeabaf18
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:13724
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1572,i,5515497164870313037,18149245786536662252,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1340 --mojo-platform-channel-handle=1564 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:13808
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2220,i,5515497164870313037,18149245786536662252,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2224 --mojo-platform-channel-handle=2216 /prefetch:11
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:13940
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2744,i,5515497164870313037,18149245786536662252,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2752 --mojo-platform-channel-handle=2740 /prefetch:13
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:14320
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,5515497164870313037,18149245786536662252,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3096 --mojo-platform-channel-handle=3088 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:14452
- - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
    .\bin\gldriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:14224
- - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
    .\bin\gldriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:14736
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
    .\bin\vulkandriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:14788
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
    .\bin\vulkandriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:14880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
16KB

MD5
1b5d75bfe0b7da2b82d42b6c4543c15a

SHA1
eb116436d4f1bf97c52fd346f948682298a4dda5

SHA256
f02f2b4d9dd064ccc4e57ca94d122b48dd5112f5d73c26648a949a279e528f66

SHA512
0efdbff2edd8f05b82207664ae64c06314a0768e272c628630e30d4f006457675b8acf12c0c2a2c15c35528a954de3ba06ad0a7b6821c83c3b314cafe7f31494

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
a2ec2e91c3ef8c42e22c4887d032b333

SHA1
e2c738a2e9400535b74e2263c7e7d1ecefe575f2

SHA256
8f9f970835f133258a7f740126012439385bbaa5a1d6a9d0d967a390977441c3

SHA512
b069d241efb19e09ec8b5e60ef6c43e00d5cc0f774b9340127c2180356dd1964ac625c1afdfaee5f99e72b26f56046fc329aadbbc365b403af765a55e9c9aab3

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf~RFe5b65bb.TMP

Filesize
1KB

MD5
6e6a2b18264504cc084caa3ad0bfc6ae

SHA1
b177d719bd3c1bc547d5c97937a584b8b7d57196

SHA256
f3847b5e4a40d9cf76df35398bb555117dfe3626c00a91f2babdedb619d6ad53

SHA512
74199ff275400b451642cde0a13b56709735676959d65da11ac76dd645ab11dac5de048ff7ede0cb8adb3a3056b3ecbeb3dc7481bac3768d02051e564c74b679

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8986c852-f403-46c4-8552-21f39a652ce9.tmp

Filesize
356B

MD5
1a78e13a96fed0810457d8bc09d98628

SHA1
9b33f4c1ea3c7772f84da6d998ab1866cbeaa05d

SHA256
9cacbec54e0aa9092ce422e27efa523c8b00e44d4dc927e506f08fb2760ad47c

SHA512
3216a7be18f69099ceca85dd6c8a9e76457ca05c387fffb2ef93de4b298234b988f03f9d595ef1d579b635473ba8464facd370f9ece51ae12c925f2860d65b3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bc45b5378c374583a508d67939e99b4e

SHA1
655c2c63d15803b43d03d6c767e70c2d7b4c8ac9

SHA256
569dddd465f1714ed6a5a1e90465cff63caa17ebc1012cd39390e3d67296114e

SHA512
71c7e4465149385254e94991a5207a2cb18be44468485e6fc3a35368797f66444f39084a683afe73690f78804966723dfaabb8bf2a2f5c4945f796b910004e4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a659229f5902330f222ccab6b113f96b

SHA1
76e9ea4ae06437dae34fd498a22a2c1ee0aaf20e

SHA256
ef4f94012473309a3cad7a8d4e2bc6ce1e1535a4d7397bf39109537c60053616

SHA512
d34708f10529900a996f2084d4247e1f3c8d2294d83634b9fcc6b7b99a0e6704736186ad8c638438ec005876be8023e030766d23997eb4d98b1416a5e4503f13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
b974b4de5b822e542bd7b5d0558c9c5e

SHA1
f634c6671936c74aa52a8fd57635b4289ae04a74

SHA256
c9d9fb40003927f7cbbc5e727958d5ffaad9090ccae8bf9be954e746e253e0b8

SHA512
5e353c4432d8962f5c28defe83a5dc2c30eb84d92d8f721ba2b8aa53ec0c0ed3aac60dfebd0de830e159911666f241da1b2fe417c7a71e13b0465f05d1aa81c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f393b8373127ea5b099c6e274bb1695

SHA1
539ee618530e87b902505d44bc9dda425865c823

SHA256
61946c8e0ffbc4c7768740d97bd997dcfb368de67aabd3fea8fb6d90f0f6262a

SHA512
307ea10f9b47d3de72dac8ee1ad17935cce3f6bc86be354321aa282167752c7829dafed922c6aca1777ff3c106f62a88374ceecac9f6bcc15db1b88b137c9d76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d843fb39d87aa517983a80ffc627727

SHA1
ae7adb1e933e2f883cfd9c3ff14cc6090c4ac0cf

SHA256
205e4e39ed5981b3c80a7cd2496e867dc78c486a949e08181cb65350f4115883

SHA512
e8d7e719fafd2f1e15080aab3d409d423559e76d436761821f299789bc215ea0258c07e468ef68d5040047c4000df187d53ad57ffe79a89c8469a8b41315d766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\25012dfb-3df0-46c3-a2b9-93696a785e48.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
ac036fa9cd6fc9f5ab16bf743497e7a1

SHA1
48425025fee295fee8c1fc98d0e8d29d8af9f8dd

SHA256
3befda14d0d3434d531772679e579c30788f752f8b7edcafe4c4c1480bdd1d0b

SHA512
46a503fb565402d583097c80c52464ed98586c875bec04b79ec19aff44edd06b9dca06f9f4be0de78a033cb30a88d488dfbd6da24574744664cd12b6d73836d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
33804214ad3795929a2f789ac02e3d27

SHA1
a3ef289a66b4c81e4411a339b5edd1ef7919d067

SHA256
a754e0ad7dde7e3e9ad2ee3a46fdc9bca361c37d20c52af01cdc79cc92fca47a

SHA512
e1f2daf21c963eee90744736c5d9d7bad07f00cb6f56cde26234b7e60b96b0e5496941b9188330268d3a548388a9f359e665c148b5e13923c556281e22098b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
dfd91aefd9adfabb98306f95bf23be6a

SHA1
9f0e4f03b63c852a4e98c2b974c0b4d9d87bfce7

SHA256
e263c4fa73a17ce1234d4707a265e62783d8f4b133017371faee28bc74bd9930

SHA512
451d65ea1fe4d9c2e888256fa29872c9765f9780a76912472b377f03ac48b2e10b16a001a6e8b30b8dbabb1dd895198c5c8f9c3d7eec2ab34aa03b00f244a820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
fa8f273a63a96678f34e321ac818c050

SHA1
a0094bf0b227a6b0ed8afe2be8862ecd71e2ce26

SHA256
0b5ed140327630473a565f5a41943c311741480d6e920cf6b12352727d98463d

SHA512
e49fcb4c476ac986cbcdcb8550c632afd4dbffaca79f431d6a5d74b5f51ab0be27c8c93b896d904f74e7c5d771ab366164636e71e9bd11b6016727ecf2334f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
11b6b5bc8972d3bf76b51726ad1afe2a

SHA1
3d9399a5a39e4c96bf5db0b02b373868714afe8a

SHA256
0684fa3333ec20e9fa0b5f9e2ebffc7d4e0ddc79328bbd21bfac01605298bb86

SHA512
24a5b20d849434ee5fc0602236f734f5a3c1ddb9aa6f18396164aadd43d0a23d37fbb90504992bb94b74d3dfd077df6bd9fa5ef5c465cca1770be0f52bf23847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
cfd058be7acab34eb0d7b4b0c38aa942

SHA1
96565fa92c0f449d75d0dbafbe7c480e5c231529

SHA256
a39450de35c150311b0ab21b769677e1d56aaed38f4d9f91b4f53e2ce2e8d118

SHA512
5cb153b3a693878207655d71cecdb30d16daa8faa0330e3fb7a53e6b8f84010e9f1cd397ea424b21a37bbd457f7babbd5cd33361da50d469db2c5ee59ce97ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
15e26280f13b3d4d24b6e71b6bc93b52

SHA1
bbb3312b6660506177cf0837a292c3a275f04e46

SHA256
407a8c29a5adc7f917a6d588ef0ad197b23bfc0af4ee294563e1888bbeec279c

SHA512
dd609856f4613e27054e799355a0761f38401a05e0d5e8327be99123dabc4988d00331b50e3db21cbabb8e02c006a180eaa8fd81bc51b58204517a23e60e9053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
1ada8daf0760b4abdabec6d291622b66

SHA1
4eaa8bb0ba16c9f8e41fb315c7ea3888eddeed4b

SHA256
f3cc48868a9668f885247da13bf568790a7f3807f1feee3b01c678e4ed8d5633

SHA512
ad2f29a9f49ee2f3e8d153c689a6b2b3de0732530dc126cfbca769aa791c503c75c312750dd12be5fb4b0b15992dd016a41dd0ac377aba888b1cb513b6ea9df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
fd9b39a0f055ec7a86630647c4f000c8

SHA1
4c788793fb3f88969777b92bdcb1c29814ac7af4

SHA256
43c14d4a730d086403eb495bb3ff3bde9853a34397d2f48938ae815fb7b5b025

SHA512
38e8819d518624fd2c2f5d88adf48cc37d4d067477f750e07cc0bc72a59eb3174316f5edcb312608d2c0b108ad67989b89fff5ff793777a4e71e33864dc6b845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
66665999666cc1d285c9ea894351981f

SHA1
52b21d56c10fd31715298dbb10c506449bde25ae

SHA256
563cb6cffffdc8d7f5f5c67282920af97ceffe9f6a2089b29808dc3ae237fcb9

SHA512
1a125f5b20e8de8f05fbd45173d7d351602f5701f253aab7640dcee9f87d74bf11c9d0615dff857317e8fbab71db24d943f7b6e2cc2f8ef313636c49b0bfa941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
4KB

MD5
d9b396cfb5910d59e6c040852e0d87d0

SHA1
16910dfcc2df15f35ffdb501f67fbc7234b30b4b

SHA256
054e60b9f6db25ef92f35b41e878ed1eb784ead35f34840c9d1d4c00ba8b4b2e

SHA512
d3ae1c01b0b381f57d33fb6f8310c6f77de67a2b51b332e1871bbbff3d3a15e8b0fe4779463775194c69ef1cd16fad087b54c4f49a0750a9e18cf3a263c79637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
12KB

MD5
7169780cfa61478064f4192cb4f41fb5

SHA1
1c5cb41847af2729e428c5f31c2aa85fc92a21d9

SHA256
7476c68405ec349cd0e697da04ab2242cffbdefd086f1a54fd6974f6a5ec5672

SHA512
06ee2234d050c346b0ebef2b5d320cfa5b7732c5f0776350aed6f50663ec12b8b25f0682e11929e9c6f6f8647af3902eb270ce1cfac4d8c586f5b8a8c4cc7c39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
9de4feedf3ddb2bf59ff5bf70eb962b7

SHA1
a53f25f5b77779c031e81b372b099a988276aa84

SHA256
6cfc30e6eced714b8ff214460727711e670ca76d350cc5b24fd2e501083eab0a

SHA512
d5238fbe3dd24adde0c7c7b150122fd5d362313f87d4b469c5e1ff87299d3349db21809dd804e46d4e4f5e351ae1cf995d3d592658d9b87bc93c469d9de6cd31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
000fd2fe24469c294f911e1215ebd84c

SHA1
d6044cee807fc96d712cbdfc2fd5b6e89f57a37e

SHA256
d97c5fdef96fac4aed91bd09194a1ef107fc71e40b78c63a8b57b7a23f679405

SHA512
d38475bab9592292af5553538a007c1afa309d96fab373df004f69f23993891c0d5beb109fcbc3785c49100b15dd73146864115e7e40d6d94945dfc299fbd079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
291da2926c2d6fb94b96fbb472d4a980

SHA1
c0445396b0cf9b68cb2462c1c3b76307dc117db1

SHA256
dddaba2eca296b0dc56ab798a060c6d7d3795d6fcdabafe6aff2fdbf30d42534

SHA512
9f22e0ae57b775218e0dd600364f9d65a945fd25923cff6eb85d2a274cbecd884002d47f16da746032a1433c6b4a2b1d283f3514c21f66f17f1937735306cc91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4aed5e13e7a4eef67096ac6a3b843451

SHA1
c93dcc71ceb68e21e754a08bd03b46b86f959766

SHA256
d4650953994175c2c3c8c6fc1fdaa1fee79a645b6f1acf544c0011ccda50003d

SHA512
1ccaf34fb3ccf8f93dcc3a47ce63a5e8203e045cc56c608b9a8adfd1e70ed50d9a156258014534fbb714a99c43685344394ca4c9503ddafbf5b42481e3d42722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e2b8b529461fa8685716abcb8e66caaf

SHA1
ddda21310ec773df9298148669ebce2b577c052a

SHA256
f79663d76a490172691bffcae5cd7d76eb9ed0dcd46e690a6f38e978570b088e

SHA512
bc5e7dfd69a32dff06650fc0ae6ee28d6eeca201b45fdf17bf49fdc3d942da76f6f15bb1de1c96ce0e535b98365f5b203f3ac09fc59f5d349245be502ad4e20f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
2a675eecafd5f9aabbb1b2ecf306860f

SHA1
df8dcb0dafda3f37976dbf60ec735c6fe0de3cc2

SHA256
6d22aee022b807616fe22fecdfc6b8f29c8a7cf72eb81f1a0fd8b6fa1d90ea0a

SHA512
fa425c84ae7d0eb98bfe77b569ce456e3f8c2577c920615cf3755a87c2f7494cdc58e676db0c74f83f2c3fab1b448786237cb88db3e972bba370fb00266aaa19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
02b25431031f3e4e509629f2f8d6d78d

SHA1
ed4a2ee364fe9e4198365ad3178e5ca59e4fe497

SHA256
bf6409ec386fdb6c99c59becdeac864ad1b4767d10835293fc3dda09f5a2c38c

SHA512
af08fec4865dac30a5bf33901ed0b76adb06fa13edac1f33de08e31737886f59cdbdde13c3613c8a2e4409f7caafd6f2c877dff7453f9a42b956c048d1f85757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
21a6a1a3a3de86a27e94f06a7204955d

SHA1
a918631f783a71bbb2976e3ab065116f06ef8b16

SHA256
f5d81f5239580be92a75a8563032aaae0cc8d55eabd67af530991a0d8228e3be

SHA512
f7cd4f81f8eb888e5ad135f4d75dacc0eb907354df0b7ce435f6d1989e4e18ba7a57c8a8a8870b1700ab71ea619431ac098420c8f99d3d2cf08cb7eba8f6be55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c2172d74b3caf3bc7da940913d14b7f9

SHA1
18802d25ca1983fc6701a31f89598a4cced07204

SHA256
156836d9e06e8735d50c730e78ccb2eae0015c502e41b7b57e891c4f00b10d2d

SHA512
805b402d4bad5ce7ae4437a41dc706cf520fe0808e6b8035699beda5e7e440429603a1586f083f6758c8dc4764407ef63faf9e517d8664e4b5e106b776dc6ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0ca2b52d72c5adc9c590fb17cc6b07a2

SHA1
68f7d1e484a747e21948c6b3f3e06c93df5d8f8e

SHA256
4b60bc4fb42fd0c828aac8ed9e76eec8a8a7b9717cb54a6120b896849a4fa00c

SHA512
e3d2031b7bac3ab9c0ce46d17e8cedf7ec0aaa875103cc45c073b49aa53eafa7ba8c43e31be420bfaab6f7cca0afcbf8537654848a60619c0a9fd3327b9a1861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dbad6163c4c212301b101c1476a845a0

SHA1
120a1ca071037a5746d55c06d4e445f99b1301e4

SHA256
c0a8ea2b3b53497d9f2016d4571202dfa1c68930978493e558686b682cc410fc

SHA512
cc11a9e85d1f2f36702c27b53605651b4d51d4d1022fb727d9e6624d59cb9fbc4c1ff7f07b59f565cb02d14522bf909d406b22fa4aca59f2e62079ec26a71b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd7d6bbe81d8de46882d82fa1288780f

SHA1
18089866be4e61ca3e4c9ce2641340b411a00d91

SHA256
411ac170445ff114d01a7b3c6000a7f0430dab92f44ab6ab88f49af4edb788b2

SHA512
6532f9412257ab9132f78524fc363a94f456dae46f10e8752b76579ca177a73198b79001a7554843c1d5c1545394fcc6e6272e56b2a9d7c322cbd78794ca387f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
09dcce194486d0194d1b8be6a2b341f2

SHA1
c0a994856e28566bee3573d2cd5ec0f9a450c777

SHA256
0d3f89e4894d7ccb87e6a4481e42c00b08e9c386d72a03655ccc999137fab197

SHA512
ba125ee824a1816025c9453b9197775d85ba3dfcf4ac527b196d89a6de52d09dd56ce073dacc3b6b0307768ff5484b1879f56e8b0ab71e13363ca6b32b319a06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e6fa2d12e6abb072e77d58a3c1814047

SHA1
e62bbb62451a41f944db9cb877bec6b010b8ddde

SHA256
fa2caa1f5878c17c7205521449a00981f77e633d6ee96b29261f763ee0cb040e

SHA512
acf4700125d7f644a802a2ddebe015b8752a3c4867be6d4a5ed7b42a8f2db2ad798421a099cc8187ef0fb910cd4eda8c0b74ece17a74fee9f372e5f65b4d0994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
2KB

MD5
d03ee6dbb6f4d25f19845a7d7f92fba8

SHA1
9ee684ece366822db371cf65097cf4220b187edc

SHA256
0141f78c7522f7b1479c69a8c9d5113bb6bfcae1583210dc31a55c0f875b9bac

SHA512
8ae1047dc1503089e8178f469c0dc3006d5947f8c38cc0a89c9f3c03b0d18af42fbb70a53af4ced307458e3a79521cd4629b6bf3013fb915db1b8b3af5caa1f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
9227476c5fc7d426d978bf06b84afa25

SHA1
2a45c0db42f9a7e2d5b9e7592de93fbabbd94f29

SHA256
277a476dccc787c6846afcd4cb666bf66a6aec8ed8590bba685feee4941dab72

SHA512
be40008f9df7cb881e7b3571e6d07b358386f1675b8baedf940418d24793244729257f0534130e1bd94651765b6e2d1cfe3ce600046546b385932fcef780cf9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13379297398441633

Filesize
15KB

MD5
ed11036841b2f8a2f1eb9241619c4e4a

SHA1
1806e212e235ceaff271ffdb8cf14d93236a8419

SHA256
73dda0fc18adb4b2e9c521abbde88a4ed82d6668ac9f94caca30d457beb15e7f

SHA512
58465ca73b2525c218fb62a4acbbf66fcd3f75d808e32ee92561449d51b0276486854cdb9a45453ec12fb0aa3084a9561e54c19889a79253abb4a43875d3137a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
8f4ad82982ab15aec91bd11c10b14562

SHA1
62005c52ab274ae28b75b73bc6d754ccf76426e0

SHA256
57327ee7d8a2b5fa546d544bee27036572c6c5d88479d6ef84a22de9749cd7bb

SHA512
6786a7bd4f7c6baf9919302f2bbd3057d30f57c19720341a2336f0b293c00471fb17349ed2fb5bb26306ad4c61d35696dca8a6fbaa11c02ef004f2c0769ae7ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
6bd1e17fe8658d9e132115a745229873

SHA1
3e0e1194179a13ea5253846d6e83719c96e25786

SHA256
50b896cd4be4aeb4babb76ee932077e2e0c643af09897e78adb03046a47fc6bc

SHA512
9748c7fc367ebe96853c0653395a68c65bac13413a5d403bef9dbbabaa3e50fcb3c25899a1618b099b3b41e95905b5ef2ec8b900f9f1de02f00cb0d71f8bdf4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
21a46cb5e176258c0035ba58a27f6bc4

SHA1
bb8d891ba446fd0cb22e4f804b7cd884d9e2edc0

SHA256
23afc5370e862101cb19f0eaa808f098f9241441fe2a36d2668847d6d6607dfa

SHA512
22b087e02c9bd34d3f3520544df390327c917f41ae539de4418a8da3b0a1498d91e6e6ed697b7f06a4addb3ca719471a6c557677bce7d176aac2f782cf72b3c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1699bf1c989b49c1975d35e472264a16

SHA1
7046e34cce568a3f0127940ab3010c1a013f49d5

SHA256
94c50c229b2495329a4a5c26fcc714d8b51dce45135f84db2fb8c87bbc394c8a

SHA512
14f546045e9386f42484db81c9a342ec93a71a70d5d55ccedc9149b95b193e2277052b112ee4da17b619bf132243149922fe8eb0bedf0fdc188cb2fe07e0e42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8e1a19094d65df3cda7224cb2dddee89

SHA1
6193d292eb056eaaeecf3b645825c510d2c0b325

SHA256
abccae5407ef575c0891262ac22dfd0facedcc28a53d689d9c83571f4fec117f

SHA512
42a59fa7cb96054271dd7a4bd4cf6846948e39351cc1cd3803a37249c598c3b863ee1b56fdf6d6d26ae24de25bbea7d7ed0d3df1751ccd7b24c72fa9600b7d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9b062a23a01650d44a3775de07ddcbf3

SHA1
2739bc46c1813dc7b0a65e85003931550755c635

SHA256
97658ff2d0ce2e2b8226dbb251bf338327d3f8eb19ff2347e28706888ad87846

SHA512
99afe3e252dc8626117a9455c5396aa6debbecc2ae7f41512d518106f9f49b9b221af8831c74c2372eb57728b77d0c4b396ccd4fd0c0d4b115fda6faf6c13113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bf7530fedc38d570fc73bcaaa7bf00b8

SHA1
1682893a5740f4bf2d5e5c3305877741746416bb

SHA256
68d903bbe71e222390a4e50970ebf7506d1dcae36c5a1dc55b375df144eb76d2

SHA512
d6079ac9b546b1698dbc9f4f273e5fd403d41185eeceaee8826956ad56ecda290735ea16aa4683df2c861bf1b8aac4d88874e2bd6b1a29a66112717b2478d12d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58393b.TMP

Filesize
1KB

MD5
6bae51df40154cb5254595311c61fd67

SHA1
bd5f38aac3da2de0c11c6263606dd284d333b963

SHA256
fca4e9bd07687597983adaa3b5119ae51964f3536e20eca237373cf9ba201171

SHA512
9a3c794fce7bf58b05eb0269bd64feb4465f69d7a66046f6ee8104e06c52efcc622bf9c74a5f4bac440f15c90b1b915bc5b00e71844fb2c87886ab2f1667a1ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
239d5c3e45d6522d4a6061fa76e9c964

SHA1
f3e9ab4e914c4a95c4694a7f236b3d7802d02aaa

SHA256
66ba11bb46337497f4b7525d6c8f74672bf453c5d75adfd566e35db1b855d33c

SHA512
5fff6c1cd3162cc3d9b04d50b0af1bddcec2853bd79485ec62a779280f745f80e030da746de052f6d9b012e1d2846b598ec06f74de3bc4528b3358c4753adef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
948a8361d37ade1029ee4bb4590577ee

SHA1
f600571001567b797d8ed2c9aa591d0448aacefc

SHA256
bf27bb66fd27b6447e36deda64336c696fcd0da3b040ef9db56650842a157c3c

SHA512
cd2546191f947f48213a845f425b1d4d1625e88dbf4a985683b8ca12982aefcad7fd1c1fa6144e47ed1fbd3fbc5518db582b8d767a26137887858ab6e0e02e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
6cfbe326ec9f68dac593e82fe030fa02

SHA1
1dd979974e95a3a4e0d5f7244c5eb06e4ffe8296

SHA256
e0e3369805c101342eeff331fded6f6a8d8197737ea6d1282595fcf8edd9637b

SHA512
6e23abde9b055a9d3ae2c014997fa96baefbb09d2afaab6c9ff3cc9e4ca896629fadbee5b3278f5fb413e9036d2a1ec38e5084c51ca8961f35497d6ba63f56f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
d1a7def272ddd783fe769605381b37a1

SHA1
08123bb0f240418507454eabe7634969086bee62

SHA256
7d895c43b4bec67b96b9eedc77430052e8316d41f7565f7d8826674664bbc664

SHA512
49b165f685c2ca387792e028fb8c5eae7f4f13588ddf6293f875a1ce317f1775848f290050c58fb0e6d6def73d3cd5477ddd9cbc3919ee2e8a9338485dac17a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
8b6bf9d356e66771d0260d797371c939

SHA1
b48dc4e76bde130520bdfc26ba22e69340f613dd

SHA256
865c438294f3b337bbeed4927ac23119b121251f6e3927016efedb1c13c03ec7

SHA512
ab320fad4eb5d76aa8e0a52da4f765a7bcbe9a1ecea52d3df09553055886f76c71db583bab14e745a58d13b8ce259ff6e8c38448b3ff3d3fac8278cb379da743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
6edcf2997ec261138ad611ed33e91652

SHA1
fe71581f0e2c5639294613a9074663dbd8e6fcb3

SHA256
4af74ab901671fee505bc0a89d080ebf728e5012593b59c615c8f4b69b7e7140

SHA512
bcf51608306672af9a0d7c4b8503948ba238fb992ed605002385bf38d9d231c83f1f2da8f3afcbacb9cd4a23cbed02403dfb6da1a8fd1e3634a26ec1615d5808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
3c2338b1e1f0bd4f7738d6b4ac640b81

SHA1
40dd4c4422cb41b111176e345ee6e62d64096324

SHA256
4df8a5fb297265a88b99b1e0c69157e7f65ede09a3218efb83a76e88d53b087a

SHA512
b000e5b8a05e112d7c34be9aa78e6667447d0ec5ecb437d641a1b18ab6f80ba45b719c482aaeb77fd1517a85d669fdb9dc059410aeb99a1cd27e060e5d8e04dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2942cd769dc01dfef3fa194388250d77

SHA1
bd5fe083c437bc7c6681cfe17640911dbc310956

SHA256
ec3184ceea5bc57f9ef393fe31cf997e3706f35fb18d9299c40ebeeb21237e36

SHA512
cb04788c1bc2587f8825e3925b9d7484f399a686aa4f34f2fdc1ea9e849922ba5eca919209dcc430826341b1fbfd99528be4167818db02c1e9875a7a9dd936c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f89bb28ed2451fd8d87e2e7bca5fdb8c

SHA1
07039078db541cb61c5943759e5e44bbe2e83d92

SHA256
5a98feba32b65f87a0b872f00c7d70b713f6249a819cb3ee861c49bbfeb59fd6

SHA512
f7438b40e3a78678c18136f54e4ba95a5f6d50183df647d8960cc2fd89664ac98bdd177b42b497f3bb0e32f84e53e5940493eada72681a2a5315b55e86647935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a5ca1bfb6c73fd600d298409da6ec05f

SHA1
cc2ddbd1af23a5e22f3afcd316a78f77ff73b33b

SHA256
34d13b174b6e8a509f4f1661152bea577864bc9ea2c13e4feeba6cbb4f1b802d

SHA512
d9a1fb4194e663eeac92ea11611d44967c33ce8d7a82f2bec761f81d317de8b891b54486943f2e4f6b8d60dfa8664c1f57140de7b0271c08647c8386dcff9615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
43f31824d03614e4c8989fa54f09ba80

SHA1
8a13e7d86982782bc4b7c1d9183bef09d948e28c

SHA256
0851a9e421b21dd5a774371a223446d754e0f78bb5c27b60b91043fb802d5f27

SHA512
dad40f20cc06cc345e2b2a50f1b173fd23c3a11050792fcf70bd62f335476ecae445ad5843e9900cfe559a73d235eb9896012c8d53a23339b62579ce88bf627d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0a090ae38514e290cb85ce8a6ac20d24

SHA1
9c0f87a65fad7cd6818b3a9ece55b72b49a03619

SHA256
1c3999a708fa2b381d8bc4c041df6c88803f6d47dc69aa3155b6c3a58ea7e2b7

SHA512
354e01aee852ceaf4374c5168347f6f660f427f6b152de142c94a029430bd922228881e1ec081dcb9f34bdfcc4fd59a1987bfac348c83a540a01ed0334e802e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
32dc53e405ce1b6dc4a787efd2fc7c9c

SHA1
8826af9996ec9f80dfa59023f83a9c06165c2acd

SHA256
6b56f53c70b8e94e6ad4dd85c42e035ddaa7e903686927e318c3fb39eb97d302

SHA512
d53e7071eb136182e67a32aae4d20cc4067d66a25306928ab66ab4f9a3730bb82cef974baa0b125f7eca73dec0a946626eeca69d9a2fe235acc9955211c79f11

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
0542d88ee5d2c992c402764201088764

SHA1
432073751e1c11fd783011b6d3590980c8037349

SHA256
4ded6ae6f4df87cc1f801e699a410e0a549725cd0010b41f35b71176e3177b82

SHA512
243bad3affa7e704b57606dd6efda5b85a81dc9a5dd8e401614afff83a426e6972cf77e1c0c826076d8e4c2fec84392fd4874dfb8e3e157577c974c3cefc395e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index~RFe5bb032.TMP

Filesize
48B

MD5
5625199fae91309d79648b7c3af9ad30

SHA1
ec7c56806b2833ecf14b7c809f60816fa6b24d17

SHA256
0922469f6178172103421f15cb5810c35be53352b9c17082c9d16cc34266e06f

SHA512
7fd7a343d10525063004518db9af9602cfe443ea259e1e1bd692781d0648cdf427ef4743a77c41a7f00660958d19b9d0be08ce4ca1c79c2d11c8ec2ca2c46f80

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
300B

MD5
33d65cbb7c69c2b5ce8ae25803b9400a

SHA1
677cd310ea23124ee5c2a7b856b8e32617d3d77b

SHA256
55840dc40e48c4ff0e25dfc41a7a230b0eaeb4a718be161b1fb186f276ae52ca

SHA512
4f6280a7c5e01af571953797f7639d3fb111c77bca1582bc1db3b25917a7e55a20885f61fbb374e3b28ed379289ce03de294859307260a5ccf2245485ad9b74a

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe5bd31b.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCA3E.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCA3E.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCA3E.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCA3E.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCA3E.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCA3E.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\Downloads\MS 0735.6+7421.zip

Filesize
112KB

MD5
1b3cf59e94f7d599ed2d54c1f82acb5a

SHA1
10d84b9096c92331106212af9a88cc7f8119c458

SHA256
57c3e5002750b9da9dbf7526a1288bbd84f339fadc16f828ef20d1889c51e483

SHA512
113328d190125c1dd0f7b5dc323a68c41f5a98c1afbec51e414c5f2776097bb1daf44af9aa58acb221c82c11e68b580f414ead1cf8184caf28da259793555a45

Download Submit
C:\Users\Admin\Downloads\MS 0735.6+7421.zip:Zone.Identifier

Filesize
283B

MD5
49bce2ce9277e666cc2a3d67a5d9e565

SHA1
14fad237123c843fbe28dd0eb5bfb3843fabccfd

SHA256
9d6a351712b2a145dbaf6aa54158387cf1e4dd8916ae1184d06b93076707befa

SHA512
f9e0a3fb24cf89d230f157d2d91392ba3b3a6aacbd99a77cdd93c0361d402738d5f7868bff0a2abeb84a69d31b1269ead0cce80b2f7dc0e77a21986326352d76

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 444978.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
memory/3288-13332-0x0000000000D70000-0x0000000001222000-memory.dmp

Filesize
4.7MB

Download
memory/13596-13466-0x000000006E390000-0x000000006F6D1000-memory.dmp

Filesize
19.3MB

Download
memory/13596-13475-0x000000006E390000-0x000000006F6D1000-memory.dmp

Filesize
19.3MB

Download
memory/13596-13486-0x000000006E390000-0x000000006F6D1000-memory.dmp

Filesize
19.3MB

Download
memory/14320-13363-0x00007FFB009C0000-0x00007FFB009C1000-memory.dmp

Filesize
4KB

Download
memory/14320-13364-0x00007FFB00AF0000-0x00007FFB00AF1000-memory.dmp

Filesize
4KB

Download