534c4826cc04c395bf55f9f60ba973f49c54ad8a5acd180ad8837a5461ce35c3

Analysis

max time kernel
960s
max time network
960s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-01-2025 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WareStore.2.0.1.exe
Size

17.6MB
MD5

727f1707ca5287b88b5b70d6bbd1eb6b
SHA1

27875c9bceebbdb16d0ad04cdec0fa216cf13f5a
SHA256

534c4826cc04c395bf55f9f60ba973f49c54ad8a5acd180ad8837a5461ce35c3
SHA512

c545c686730a0976007783e49ff7c539f152da470f27ec620b2f34381ff153d3ba95a00ac6e9662c657f12eeacd551a7e6113e2993e576091f8d3845356f31e5
SSDEEP

393216:U9W8sQwq3Obs2Cls0pXMCHWUj5rRQ7XbFsn6fLwzr5+uoYChFKuBvl3JXcS:U9W81wq3ObRqs0pXMb85rRQ766zur5+r

Score

8^/10

steam defense_evasion discovery persistence phishing privilege_escalation pyinstaller

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 20 IoCs

pid	Process
4420	SteamSetup.exe
3660	steamservice.exe
6064	steam.exe
5508	7z2409-x64.exe
6676	steam.exe
5932	steamwebhelper.exe
572	steamwebhelper.exe
6872	steamwebhelper.exe
1068	steamwebhelper.exe
4372	gldriverquery64.exe
6316	steamwebhelper.exe
1108	steamwebhelper.exe
5904	gldriverquery.exe
5532	vulkandriverquery64.exe
6640	vulkandriverquery.exe
4428	WareStore.2.0.1.exe
6184	WareStore.2.0.1.exe
6992	steamwebhelper.exe
6904	steamwebhelper.exe
3916	steamerrorreporter.exe

Loads dropped DLL 64 IoCs

pid	Process
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
1664	WareStore.2.0.1.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
572	steamwebhelper.exe
572	steamwebhelper.exe
572	steamwebhelper.exe
6872	steamwebhelper.exe
6872	steamwebhelper.exe
6872	steamwebhelper.exe
6676	steam.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com
192	raw.githubusercontent.com
193	raw.githubusercontent.com
194	raw.githubusercontent.com

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_l4.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_gyro_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\joyconpair_left_sl_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_dpad_left_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_button_x.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox360_button_select.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_l4_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_l2.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\offline_ukrainian.html_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\SteamOverlayVulkanLayer64.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\ErrorSteamAlreadyRunningDialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\btnStdBottomRight.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_fullscreen_down.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_rstick_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0405.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0230.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\tabStdTop.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_color_outlined_button_y_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_rstick_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\hp_l4_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_color_button_circle_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_mouse_scroll_down.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\steamui_websrc_all.zip.vz.184ee6a9f80503783fc44586c1737aa62fb491e3_24870486	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_color_outlined_button_y_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_sl_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_lstick_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_l2_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_vr_happy.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\joyconpair_right_sr_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_l_touch_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_r_ring_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_button_menu_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_button_square_lg.png_	steam.exe
File opened for modification	C:\Program Files (x86)\Steam\package\tmp\resource\sourceinit.dat_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_070_setting_0090.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\hr.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_lstick_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_p1_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_button_l_arrow.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_button_steam_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_color_button_y_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_060_vehicle_0070.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\icon_steam.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_rt_md-1.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_touchpad_edge_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_outlined_button_b_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\minithrobber04.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_status_web.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\steam_controller_romanian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_color_outlined_button_circle_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_button_capture_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_r2_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\steamdesktop.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\deck_colorsettings_default_bg.jpg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\clientui\vr\rendermodels\steamvr_quad_2\steam_quad.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\downloads_bg.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_security_poor.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steambootstrapper_spanish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox360_button_select_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_left.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_button_create_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_090_media_0140.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_l4_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_button_home_sm.png_	steam.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5932_1754431781\_platform_specific\win_x64\widevinecdm.dll.sig	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5932_1754431781\_metadata\verified_contents.json	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5932_1754431781\manifest.fingerprint	steamwebhelper.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5932_1754431781\_platform_specific\win_x64\widevinecdm.dll	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5932_1754431781\LICENSE	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5932_1754431781\manifest.json	steamwebhelper.exe
File opened for modification	C:\Windows\SystemTemp	steamwebhelper.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\7z2409-x64.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WareStore.2.0.1.exe:Zone.Identifier	firefox.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000900000002c7e0-16087.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2409-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19	wwahost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\NumberOfSubdomai = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt.live.com\ = "0"	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0"	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdom = "1"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt2.microsoft.com\ = "0"	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt.live.com	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\Total = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdom = "2"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\ = "0"	wwahost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2409-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com\NumberOfSub = "0"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceho	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\ = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt.live.com	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2409-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt.live.com\ = "0"	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\URL Protocol	steamservice.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\account.live.com	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt2.microsoft.com	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "40"	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2409-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "1"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0"	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2409-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\steamlink\Shell\Open	steamservice.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com\ = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceho = "0"	wwahost.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	steam.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\WareStore.2.0.1.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\grRGzMpV.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\7z2409-x64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
4420	SteamSetup.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe
6676	steam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6676	steam.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	WareStore.2.0.1.exe
Token: SeDebugPrivilege	2752	firefox.exe
Token: SeDebugPrivilege	2752	firefox.exe
Token: SeDebugPrivilege	5924	firefox.exe
Token: SeDebugPrivilege	5924	firefox.exe
Token: SeDebugPrivilege	5924	firefox.exe
Token: SeDebugPrivilege	5924	firefox.exe
Token: SeDebugPrivilege	5924	firefox.exe
Token: SeDebugPrivilege	5924	firefox.exe
Token: SeDebugPrivilege	4420	SteamSetup.exe
Token: SeDebugPrivilege	4420	SteamSetup.exe
Token: SeDebugPrivilege	4420	SteamSetup.exe
Token: SeDebugPrivilege	4420	SteamSetup.exe
Token: SeDebugPrivilege	4420	SteamSetup.exe
Token: SeSecurityPrivilege	3660	steamservice.exe
Token: SeSecurityPrivilege	3660	steamservice.exe
Token: SeDebugPrivilege	5508	7z2409-x64.exe
Token: SeDebugPrivilege	5508	7z2409-x64.exe
Token: SeDebugPrivilege	5508	7z2409-x64.exe
Token: SeDebugPrivilege	5508	7z2409-x64.exe
Token: SeDebugPrivilege	5508	7z2409-x64.exe
Token: SeDebugPrivilege	5924	firefox.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe
Token: SeShutdownPrivilege	5932	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5932	steamwebhelper.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
2752	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe
5932	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
2752	firefox.exe
4672	MiniSearchHost.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
4420	SteamSetup.exe
3660	steamservice.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5508	7z2409-x64.exe
6676	steam.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
4428	WareStore.2.0.1.exe
6184	WareStore.2.0.1.exe
5644	osk.exe
5644	osk.exe
5644	osk.exe
5644	osk.exe
5644	osk.exe
5644	osk.exe
1888	wwahost.exe
5644	osk.exe
1888	wwahost.exe
1888	wwahost.exe
5644	osk.exe
1888	wwahost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 1664	3496	WareStore.2.0.1.exe	79
PID 3496 wrote to memory of 1664	3496	WareStore.2.0.1.exe	79
PID 5284 wrote to memory of 2752	5284	firefox.exe	92
PID 5284 wrote to memory of 2752	5284	firefox.exe	92
PID 5284 wrote to memory of 2752	5284	firefox.exe	92
PID 5284 wrote to memory of 2752	5284	firefox.exe	92
PID 5284 wrote to memory of 2752	5284	firefox.exe	92
PID 5284 wrote to memory of 2752	5284	firefox.exe	92
PID 5284 wrote to memory of 2752	5284	firefox.exe	92
PID 5284 wrote to memory of 2752	5284	firefox.exe	92
PID 5284 wrote to memory of 2752	5284	firefox.exe	92
PID 5284 wrote to memory of 2752	5284	firefox.exe	92
PID 5284 wrote to memory of 2752	5284	firefox.exe	92
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1472	2752	firefox.exe	93
PID 2752 wrote to memory of 1748	2752	firefox.exe	94
PID 2752 wrote to memory of 1748	2752	firefox.exe	94
PID 2752 wrote to memory of 1748	2752	firefox.exe	94
PID 2752 wrote to memory of 1748	2752	firefox.exe	94
PID 2752 wrote to memory of 1748	2752	firefox.exe	94
PID 2752 wrote to memory of 1748	2752	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WareStore.2.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\WareStore.2.0.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Users\Admin\AppData\Local\Temp\WareStore.2.0.1.exe
  "C:\Users\Admin\AppData\Local\Temp\WareStore.2.0.1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1664

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2912

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5284
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1928 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58f9d465-6ced-40d4-b8dd-8994b1e9575a} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" gpu
    3⤵
    PID:1472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2328 -parentBuildID 20240401114208 -prefsHandle 2304 -prefMapHandle 2292 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29cc82e7-f153-4897-abdb-108b075a9829} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" socket
    3⤵
    - Checks processor information in registry
    PID:1748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3396 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3056 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b98acfe8-a301-4718-9d9c-d73d1680c1f7} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" tab
    3⤵
    PID:3880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3108 -childID 2 -isForBrowser -prefsHandle 3132 -prefMapHandle 2608 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31d7afb5-ac4a-4dff-9cf7-3a6a3120188d} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" tab
    3⤵
    PID:5328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4880 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4892 -prefMapHandle 4888 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7165115-4070-4394-b03c-82f251fcf42f} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" utility
    3⤵
    - Checks processor information in registry
    PID:5536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 3 -isForBrowser -prefsHandle 5372 -prefMapHandle 5368 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b85e39b-281a-47f5-81da-ae5225dd30b1} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" tab
    3⤵
    PID:820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 4 -isForBrowser -prefsHandle 5544 -prefMapHandle 5548 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6e10cb4-0f16-4728-ad27-60328dce4ca5} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" tab
    3⤵
    PID:4488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5824 -childID 5 -isForBrowser -prefsHandle 5744 -prefMapHandle 5752 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8d3e996-8ad9-4e2b-98f6-7baa9141d655} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" tab
    3⤵
    PID:5500

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2536
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 27779 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e34e67f-c5db-4899-801e-319b29db4ed9} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" gpu
    3⤵
    PID:5604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 27815 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd0187af-a9fa-40cf-9f90-daed309dfb9b} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" socket
    3⤵
    PID:2148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3212 -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 2840 -prefsLen 27956 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ee58814-b65e-42cf-959d-048aca771870} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1660 -childID 2 -isForBrowser -prefsHandle 1656 -prefMapHandle 2952 -prefsLen 33189 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d5606c4-6ae1-4c2e-aa9b-8b06824bb859} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:3312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4676 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4648 -prefMapHandle 4592 -prefsLen 33243 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8e0f8ac-1e3f-4ebc-b3af-a4a724de696a} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" utility
    3⤵
    - Checks processor information in registry
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5220 -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5248 -prefsLen 27044 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e9c0509-0048-4658-9326-ce4b37b8df24} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:4100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 27044 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dca6bb8-8358-4118-ab3e-37913099b0fc} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:2208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5600 -prefsLen 27044 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b6a7873-9d30-4d34-9741-aff206b1b3ed} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:1744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6328 -childID 6 -isForBrowser -prefsHandle 6348 -prefMapHandle 6344 -prefsLen 28194 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9822130-8126-4c51-ab6d-0a6f5e2c9093} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:1676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5164 -parentBuildID 20240401114208 -prefsHandle 5188 -prefMapHandle 6708 -prefsLen 34915 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afcd27c1-597e-4309-a9a6-dba44314f4d0} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" rdd
    3⤵
    PID:4424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 7 -isForBrowser -prefsHandle 6768 -prefMapHandle 6764 -prefsLen 28194 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef3fefd1-3562-4410-900f-861e722b46db} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:3620
- - C:\Users\Admin\Downloads\SteamSetup.exe
    "C:\Users\Admin\Downloads\SteamSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4420
  - - C:\Program Files (x86)\Steam\bin\steamservice.exe
      "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3624 -childID 8 -isForBrowser -prefsHandle 4840 -prefMapHandle 4640 -prefsLen 28250 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b0e1aa3-a509-4cc5-bec5-7cca2a2400d8} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:4084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7300 -childID 9 -isForBrowser -prefsHandle 7440 -prefMapHandle 7192 -prefsLen 28250 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {779e8dd3-9996-4bf9-92d8-6ff825deebd2} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:4104
- - C:\Users\Admin\Downloads\7z2409-x64.exe
    "C:\Users\Admin\Downloads\7z2409-x64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6892 -childID 10 -isForBrowser -prefsHandle 5792 -prefMapHandle 6312 -prefsLen 28250 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03f6f1ec-c287-467d-a7a1-1c032c429ce4} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:6764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -childID 11 -isForBrowser -prefsHandle 7724 -prefMapHandle 4840 -prefsLen 28250 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ab30381-ee14-472f-b9ec-73c4d3231ae5} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:6780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8104 -childID 12 -isForBrowser -prefsHandle 8092 -prefMapHandle 6912 -prefsLen 28250 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee4c3f02-ba81-48a0-bcc0-01b46736daf9} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:1228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8300 -childID 13 -isForBrowser -prefsHandle 8432 -prefMapHandle 8436 -prefsLen 28250 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7c377ec-212f-43ab-98a9-a3fe465a754d} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:3672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7200 -childID 14 -isForBrowser -prefsHandle 8664 -prefMapHandle 8660 -prefsLen 28250 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6afe9793-fd13-4a31-9a2d-9aab283c4274} 5924 "\\.\pipe\gecko-crash-server-pipe.5924" tab
    3⤵
    PID:3356
- - C:\Users\Admin\Downloads\WareStore.2.0.1.exe
    "C:\Users\Admin\Downloads\WareStore.2.0.1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4428
  - - C:\Users\Admin\Downloads\WareStore.2.0.1.exe
      "C:\Users\Admin\Downloads\WareStore.2.0.1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6184

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
PID:6064
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:6676
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=6676" "-buildid=1733265492" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5932
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1733265492 --initial-client-data=0x298,0x29c,0x2a0,0x294,0x2a4,0x7ffc8dc8af00,0x7ffc8dc8af0c,0x7ffc8dc8af18
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:572
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1576,i,18378459530054154013,10136736003102409697,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1580 --mojo-platform-channel-handle=1568 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6872
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2184,i,18378459530054154013,10136736003102409697,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2188 --mojo-platform-channel-handle=2180 /prefetch:11
      4⤵
      Executes dropped EXE
      PID:1068
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2728,i,18378459530054154013,10136736003102409697,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2732 --mojo-platform-channel-handle=2716 /prefetch:13
      4⤵
      Executes dropped EXE
      PID:6316
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,18378459530054154013,10136736003102409697,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3160 --mojo-platform-channel-handle=3152 /prefetch:1
      4⤵
      Executes dropped EXE
      PID:1108
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=3676,i,18378459530054154013,10136736003102409697,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3680 --mojo-platform-channel-handle=3624 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:6992
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3800,i,18378459530054154013,10136736003102409697,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3804 --mojo-platform-channel-handle=3796 /prefetch:10
      4⤵
      Executes dropped EXE
      PID:6904
- - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
    .\bin\gldriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:4372
- - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
    .\bin\gldriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5904
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
    .\bin\vulkandriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:5532
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
    .\bin\vulkandriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6640
- - C:\Program Files (x86)\Steam\steamerrorreporter.exe
    C:\Program Files (x86)\Steam\steam
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3916

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004CC
1⤵
PID:7016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:7164

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:6084

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5452

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:6328

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5644

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
21KB

MD5
de089721eb1c8b715dc882e2d17bff00

SHA1
927528676cbc21ca596bd7a1b5d6c8b434675dd0

SHA256
fef9fa8197d2c9de8d22323e09dfc212991f0a54f2329367d103ef882facaa40

SHA512
1dc4fb4c008b78a1cb4d1cb8d5752ad8096120cc4d6ba44654dbb9cb4aa5638dd08e611229ffb17a7f0cadad62eae664c2acd2cda3bd1c563576ac5160409886

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
a2ec2e91c3ef8c42e22c4887d032b333

SHA1
e2c738a2e9400535b74e2263c7e7d1ecefe575f2

SHA256
8f9f970835f133258a7f740126012439385bbaa5a1d6a9d0d967a390977441c3

SHA512
b069d241efb19e09ec8b5e60ef6c43e00d5cc0f774b9340127c2180356dd1964ac625c1afdfaee5f99e72b26f56046fc329aadbbc365b403af765a55e9c9aab3

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
16KB

MD5
c90c0f4f278829eca04ca0953b94e2ba

SHA1
7c19f3828fcbcb92b2c762b39fe68d77f89488aa

SHA256
9bac49508ff32a1f1e0c1d96453a37325919ddc3cb34a013d6d8f74cb6fed6fb

SHA512
65d561e15a8e1b838ddae159e5fff4a9a4fcb1a7bd9f1111ea11f925486d625fb5b284f36a533933571c928abd2adeb234caecd70b9be585870a1377fe902f9d

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
21KB

MD5
5281047e2c86fece7e54eafcf715c0f6

SHA1
5391d709aa69507fd126d0f7a728d7a9c45cdacb

SHA256
355ac9a5fbbbd4341bc4a4aef6c60fbb80efa48da80ffdcab75f971caf5c9fce

SHA512
02956fd245cacb6ffe7bcdcf7af69f9e6bc6f1dea515b2bef710eaaefe170952373b404c0a33b48337d5efb52e208770227aab2305a7b2fb4946895746119afa

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
19KB

MD5
1820e17f076c7d403043da1a0f47f646

SHA1
e6e61fabe421d56aace82e71d43c2201af0db954

SHA256
62e9d3c1567d55af22d75f145d02ba3725c3318496516f1da46a211988fb43f1

SHA512
b4662489adb9e3f7b60c602ef0d9c4cbe80a947af60a756b8f448be57835699a8624569ed682970dc7d5857d69d1d84eeb05614055b5350db20c80a0cd1c136c

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
18KB

MD5
53ca21a0195653b976bf0f62163a5d24

SHA1
4775b548607694a75e7a35186933ae46db407017

SHA256
495af3fa55174bb312fd1669673bd5955e0bdd57d081a714124c7378620fcc02

SHA512
6402877d567fd8a104b3a4e3be1d19b997a8c292b310eb50c760964eb89d8ab572945a75d21994f9f8564947d493c4ce33fe62d3b8d0aa5171b59745418b0092

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
23KB

MD5
f96b9f7ebdc45567e41ac644a6209dd0

SHA1
2199cd3569ded129414aad8ec3f2aa7d89037fbe

SHA256
6016f2bf5dd8fdae8a890cf27804613e194034a0138fc41de0cb805baca36d74

SHA512
26fbc64be9042ada047e6abcd4b53d04117b29635736defd508b4147fae4aa0eb161fb770e16e651ae3589a4d40ed0e423bb40e8fc1fc9b0282f66b0917eff6a

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
19KB

MD5
fc731f0422432a42f6b93dc79f63305e

SHA1
426e156cf97033a1d3a3961c72a509b2f003b300

SHA256
571777992f34288f35e508bace45b4b1727570e2a189a9e3edd770dcf8f5f315

SHA512
bd0e59704aeb009122b6888b1db043b98160e62f6420aa15c0b90afe36df69311270e113071d7e162413a4a8fb2cc284168d51b8e2ef07a3fc6e508d1ea71730

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf~RFe5e74e0.TMP

Filesize
1KB

MD5
6e6a2b18264504cc084caa3ad0bfc6ae

SHA1
b177d719bd3c1bc547d5c97937a584b8b7d57196

SHA256
f3847b5e4a40d9cf76df35398bb555117dfe3626c00a91f2babdedb619d6ad53

SHA512
74199ff275400b451642cde0a13b56709735676959d65da11ac76dd645ab11dac5de048ff7ede0cb8adb3a3056b3ecbeb3dc7481bac3768d02051e564c74b679

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
1a20f11138409bf7343b21ad6d7ef7d9

SHA1
0a44b0869605cd1f86bb1d9553514a87c8fe2630

SHA256
ee48bf4b7374d3bd7583af804051b60c700f17e1668df59373b7921b53c58525

SHA512
f505fddea32416dcce59a82121b6fe5295e501b22cdd72bfb0e7a95e0d7c56f1ef447c7e1c541b4c99164377947cee8eb415040b906118b98c02827626a59707

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\cache2\entries\0496E33B07BB9340090B6FF9A653DA5443DBD403

Filesize
224KB

MD5
7fda4c166b9796778a90b118796cc57e

SHA1
47b30a73aa0cb4a67b9a69ad59a20ae333b4f578

SHA256
1a167cfe14b2cc09f83f85d68dc789eec819f5e5efd55b778697e5d668ee07c8

SHA512
d3d139f4933c40e8c24145791e4aa08d8dcdab782f66a4e53f382366ada6e42b83fafb1bfa5cad203903e19d564cca2ed35660c69e35ed794d76915048dd44f8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\cache2\entries\183E2680605B56F24D804B991A30FEF1163A9594

Filesize
61KB

MD5
36a31a833ec95f748ab83c99de02fdfa

SHA1
4647aaa9ffcd4064413ee41ac17bc74a1494427d

SHA256
d37b46cceb1d54acef2f6064c02fded153f2ca6aa444a776bd8bcd1e57ac3f6c

SHA512
cb26caa5e0ab534b18948b7b1bd9e2a0cc624210d9b63efdd125779fc054d38490b6f0f8b481e1a6cd4d73f75ca9ce4babb5d83ec9347784c8306411139ad923

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
2c7f20389315565ba532c91ceda57668

SHA1
e174329b28a048e2d4459dfe5bca474d9357292a

SHA256
0e31235ff7053f949fffef94d1c8c378d7d2c00e2c850123a6c6a7f42201326d

SHA512
ac92c90d10e0ef7cdfeb45946e135b138245c21d230638c838544a6a3ce4f5ee7655c438662b446023d509f6fca22b31d00a2197a57d15526f5d1e8d804be45b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2E8LPFIT\account.live[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\068ee470-d4d4-45bf-9919-eade02e0f7ec.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
5bcecb0b4d44fe4c9711460faab10e70

SHA1
99bf8e1256a11900bd19367353f08d6b21cdcbc7

SHA256
72e523a325b0121f8d25a121ed1449a5f913181742dea7525dcf049cc7c4e590

SHA512
7258dcf7c88d717b950e70292073199bcdb8e92d44812d80e9ebc56bfb80b7b0305d05cefccee1f354a18b906ecd5e8f607acfbdde29ff65fd89d85bd448b5b1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
20c2c2442ce90c10e40d0e2defd05444

SHA1
014783d63042f7c231dc87bf0827a8ba6f119493

SHA256
d40079892c61f9f274a3d01a8e2f9d90f9dc5e79077b41c3df92d1603fcc6fa8

SHA512
3401ba48c4dd29afd76a46a8b7e7f5a543b941d91ca72b2e2da2deb20771b6a68e1aabd4b4dd0626f126cb06d6658506784a13b1aa48b7c2b394d5e87587409c

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
639dacc2d1972b9ff81a78a72b4d1a17

SHA1
7811886c0efafd72a031bc686dafe6bc6b8fb191

SHA256
bd3b0ad775c90469999ead9e6d7dffd71ca253f45a35c529215b8dc6fc9a28ec

SHA512
06e7d59f02507e885068c52c1a66883bed27ff5e33765aa8e9e1fb241736dbbc385a42822eea9545d4405e19bf84c605b8383aab61fc40ab98c4be642ec6a0d4

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
710B

MD5
3ab1a44976e20c7b33b76341b4185172

SHA1
9b2a4161e521e36bd07dedbe11a04c358bee2367

SHA256
289224674ab45e37e111c648c345f6a5164a29dcc9325b4d7c643d3c873cf929

SHA512
3233654ca4835137b3aabb69fc02fe75923e33d9204d924799f06da0012771602a3d5a46b5117f4ae6690abed45aa7cab36ad9cc09aef5d8c33cf2c7dd61d6d4

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
822B

MD5
2727f3681e0ba1e0dcf7a82b6ece9692

SHA1
a58efe17026c6b35d7d37a430fe13efee871698c

SHA256
09746a503a9c254f07793f6cada48ed9b86235b11e91915c378cbe52a4ae8fd7

SHA512
ef9df0211796988e188652ef4f81e5748bd7978fdc30701985e94db1c50c452b5d083498edd48cb21c9ea2f803fcea2f64ca081f67df61f7becbf06b27948070

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json~RFe5f7bb1.TMP

Filesize
529B

MD5
77f817670d984a9067462d217b21cf3c

SHA1
02fb48331625f688dad2ffc057fa63671a9bef18

SHA256
a9e1685e0937a9ba36cbef995da71e80306bbe65740473b9850b0651f31e4daf

SHA512
f34a6589af5c168cfab0cd4f8b6602dd339aea89f51cac1ceb3c32937f62c8bf6c160a97f9fc355010cee1fe4e841be7f9cd428ee0fdb675360646ee27a04301

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
300B

MD5
c33db675324e2af1ee9f44565fa12356

SHA1
c6c8a99e5e9dadfe56c83bf2c65cfe0b1981fe1a

SHA256
0e1e560a3c81e44e4d6437c8191ceeaaa139f7bfdf51f12f69e6a1c69aed0af0

SHA512
c4af69e291c668fdd362acf2823f13e329aa2d94346789a3eafcc411eefcaaaf28c4789793ded38d849e4626e121f27dfd4d2963c0345ebca2c77200de21bc92

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe5f8f49.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Shared Dictionary\cache\index-dir\temp-index

Filesize
48B

MD5
5603937d9d815e154f3b0faf32872fc8

SHA1
7195b7b8e6bc3a446f6eaffa7658d6587009bf56

SHA256
478300968db0e5a50926486ecf9606f899dba54690eb7c1a2647f6e0317ce43c

SHA512
49173a1f0e4bc68493de58ab17bdf760f087364beb5f26b19f6531d133e6e21d653f98b7a6740aaa42c9f6e2d68f74a0b63de77ab3affc63d1d64f4a6388cbf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_asyncio.pyd

Filesize
71KB

MD5
142e957ae9fe9dd8514e1781c9a35c2b

SHA1
66d587f8b3a9f8cf237fc682c6e6d3d0929f1df9

SHA256
4c6d6690e91974804c1eaf77827ea63882711689baff0718a246796ff40b2a23

SHA512
874a827a6183bfe9898c80c25db4336eb58273a0ec701bc5f497364afe3084d6634bf6db7f9dc02ef593c6a751e678be419e9af050bd51c4bbb89d98f53c5f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_bz2.pyd

Filesize
83KB

MD5
c17dcb7fc227601471a641ec90e6237f

SHA1
c93a8c2430e844f40f1d9c880aa74612409ffbb9

SHA256
55894b2b98d01f37b9a8cf4daf926d0161ff23c2fb31c56f9dbbac3a61932712

SHA512
38851cbd234a51394673a7514110eb43037b4e19d2a6fb79471cc7d01dbcf2695e70df4ba2727c69f1fed56fc7980e3ca37fddff73cc3294a2ea44facdeb0fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_cffi_backend.cp313-win_amd64.pyd

Filesize
175KB

MD5
5cba92e7c00d09a55f5cbadc8d16cd26

SHA1
0300c6b62cd9db98562fdd3de32096ab194da4c8

SHA256
0e3d149b91fc7dc3367ab94620a5e13af6e419f423b31d4800c381468cb8ad85

SHA512
7ab432c8774a10f04ddd061b57d07eba96481b5bb8c663c6ade500d224c6061bc15d17c74da20a7c3cec8bbf6453404d553ebab22d37d67f9b163d7a15cf1ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_ctypes.pyd

Filesize
129KB

MD5
2bd5dabbb35398a506e3406bc01eba26

SHA1
af3ab9d8467e25367d03cb7479a3e4324917f8d0

SHA256
5c4c489ac052795c27af063c96bc4db5ab250144d4839050cfa9bb3836b87c32

SHA512
c07860d86ae0d900e44945da77e3b620005667304c0715985f06000f3d410fffb7e38e1bc84e4e6d24889d46b9dac6bf18861c95b2b09e760012edc5406b3838

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_decimal.pyd

Filesize
274KB

MD5
ad4324e5cc794d626ffccda544a5a833

SHA1
ef925e000383b6cad9361430fc38264540d434a5

SHA256
040f361f63204b55c17a100c260c7ddfadd00866cc055fbd641b83a6747547d5

SHA512
0a002b79418242112600b9246da66a5c04651aecb2e245f0220b2544d7b7df67a20139f45ddf2d4e7759ce8cc3d6b4be7f98b0a221c756449eb1b6d7af602325

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_hashlib.pyd

Filesize
63KB

MD5
422e214ca76421e794b99f99a374b077

SHA1
58b24448ab889948303cdefe28a7c697687b7ebc

SHA256
78223aef72777efc93c739f5308a3fc5de28b7d10e6975b8947552a62592772b

SHA512
03fcccc5a300cc029bef06c601915fa38604d955995b127b5b121cb55fb81752a8a1eec4b1b263ba12c51538080335dabaef9e2b8259b4bf02af84a680552fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_lzma.pyd

Filesize
155KB

MD5
66a9028efd1bb12047dafce391fd6198

SHA1
e0b61ce28ea940f1f0d5247d40abe61ae2b91293

SHA256
e44dea262a24df69fd9b50b08d09ae6f8b051137ce0834640c977091a6f9fca8

SHA512
3c2a4e2539933cbeb1d0b3c8ef14f0563675fd53b6ef487c7a5371dfe2ee1932255f91db598a61aaadacd8dc2fe2486a91f586542c52dfc054b22ad843831d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_multiprocessing.pyd

Filesize
35KB

MD5
22d20bd3946419ecf0882315ae1f96de

SHA1
f3c07bef75fa372a6905e971ca8350d1e3e48058

SHA256
9da721822a592f8c4e9a96ebaa4517c45768d7737582e0e5b933066f453a2e5e

SHA512
a3bec1f99240b9e9d823405eecc1c511c46f11c7d844229a0dad7e23edb69df365874c184fe9b2637f12a94132e44acecc3a434810d0ff5c819f8207f1ddde9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_overlapped.pyd

Filesize
55KB

MD5
4df3728d404e0b1607a80b32c6c93bcc

SHA1
d6ebd687de4d5fd8037f0775d6ea88b84f6a8287

SHA256
c8a0e2c0d7f82cedb839d2c0b827cf139113faa4aba05f2345c80e2cf3335b8a

SHA512
f9f51ac1f82e2fa799249336a927a84b0a44055ada0a136e318d9073633c2595445a933fbc74b0b3c16cbad6c253d1df76cad031389d89daf9a789de1526e265

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_queue.pyd

Filesize
34KB

MD5
955b197c38ea5bd537ce9c7cb2109802

SHA1
8feffcb11740ddafc4479fc008cc06c6b570a8bc

SHA256
73cade82ee139459fe5841e5631274fc9caf7f579418b613f278125435653539

SHA512
cab0d8d10fb3bff72d20b287901ccd9be685796142cd2e45e4712cd6f4551dec69180490c2fdfad262c6927a3c7f4fefe68187f64c066731fe17012f78a0ed69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_socket.pyd

Filesize
82KB

MD5
abf998769f3cba685e90fa06e0ec8326

SHA1
daa66047cf22b6be608127f8824e59b30c9026bf

SHA256
62d0493ced6ca33e2fd8141649dd9889c23b2e9afc5fdf56edb4f888c88fb823

SHA512
08c6b3573c596a15accf4936533567415198a0daab5b6e9824b820fd1f078233bbc3791fde6971489e70155f7c33c1242b0b0a3a17fe2ec95b9fadae555ed483

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_ssl.pyd

Filesize
178KB

MD5
cf541cc288ac0bec9b682a2e0011d1ff

SHA1
ef0dd009fdad14b3f6063619112dcdfafb17186d

SHA256
e94f0195363c5c9babfc4c17ec6fb1aa8bbabf59e377db66ce6a79c4c58bbd07

SHA512
f97e7fc644356bebe7e3deaa46b7de61118b13af99c9e91d0fbcbe3caea0c941265bcb28fee31a22fc3031c6428517c5202c1425654f3c2cd234979c9e3c04b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_tkinter.pyd

Filesize
66KB

MD5
ab5bc77ee74ea930f1c9964668fd7c37

SHA1
e326c378d353d283af37466453a6698de179ec07

SHA256
f34a80dc8435934c410b621a354ea88801d41d1089b0f3128e60aac170b083ad

SHA512
81434fcc19e8441e3004aa7bc41d15ec0ce0b094dde8cf334e215d63440720e8d79d895509e45434ff5e725fd8f7ef6006c15d4217b687104befed37d1992b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\_wmi.pyd

Filesize
39KB

MD5
c629ce084fc76ac60b7a77479cb2225c

SHA1
fe80955f217162ce9d4910202bbe30f7601d254a

SHA256
afad80f9e62a57814779cf3e48352b583c1a0697b11a23cc9db3f4e43f7f8664

SHA512
9863767981508f458c61553e5a50b6c5d70956676fee92e15b5ab08b1770ba0f640392fa12feddd6ab1eac5a418f3f8cd057c608e33653a2825ca36edded78b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\charset_normalizer\md.cp313-win_amd64.pyd

Filesize
10KB

MD5
56fe4f6c7e88212161f49e823ccc989a

SHA1
16d5cbc5f289ad90aeaa4ff7cb828627ac6d4acf

SHA256
002697227449b6d69026d149cfb220ac85d83b13056c8aa6b9dac3fd3b76caa4

SHA512
7c9d09cf9503f73e6f03d30e54dbb50606a86d09b37302dd72238880c000ae2b64c99027106ba340753691d67ec77b3c6e5004504269508f566bdb5e13615f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Filesize
122KB

MD5
10116447f9276f10664ba85a5614ba3a

SHA1
efd761a3e6d14e897d37afb0c7317c797f7ae1d6

SHA256
c393098e7803abf08ee8f7381ad7b0f8faffbf66319c05d72823308e898f8cfc

SHA512
c04461e52b7fe92d108cbdeb879b7a8553dd552d79c88dfa3f5d0036eed8d4b8c839c0bf2563bc0c796f8280ed2828ca84747cb781d2f26b44214fca2091eae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\jwt_helper.py

Filesize
857B

MD5
4fa7227ad75be84adff241fc560b2008

SHA1
a0f60a5dce43687060ffb1e2d5ddc8d3e05240b3

SHA256
1876d50f13a799b99ab94a21d1cecf609c9d253cb75e629d7e8f084ec9ad2661

SHA512
906c2ff82b76c1e31644e652e9f5579f7e456c9aae1bed79f60ebda00f973a2c255a7d004cc44b8ecde1d277a378463c2a2c46f71b183b9da495adfc65e93e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\psutil\_psutil_windows.pyd

Filesize
65KB

MD5
49ac12a1f10ab93fafab064fd0523a63

SHA1
3ad6923ab0fb5d3dd9d22ed077db15b42c2fbd4f

SHA256
ba033b79e858dbfcba6bf8fb5afe10defd1cb03957dbbc68e8e62e4de6df492d

SHA512
1bc0f50e0bb0a9d9dddad31390e5c73b0d11c2b0a8c5462065d477e93ff21f7edc7aa2b2b36e478be0a797a38f43e3fbeb6aaabef0badec1d8d16eb73df67255

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\pyexpat.pyd

Filesize
197KB

MD5
03493d1441671abe9339af942253dac3

SHA1
0d8800be2733bb56fb2909a6f9389c00eb00f612

SHA256
3a4830342ab562e41ab93b4bc2dc45fe0ab760815e7c3ec4a7fddc914ec99982

SHA512
1b092a9e2e9e64533e7436c239961cee4ffde0fa6fed4c6e0ca2a9f72fc72065d457968dc92e74f4e052cd2557f6d380a86046117b6a450306a16ac6e885a036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\python3.DLL

Filesize
70KB

MD5
ad2c4784c3240063eeaa646fd59be62c

SHA1
5efab563725781ab38a511e3f26e0406d5d46e8d

SHA256
c1de4bfe57dc4a5be8c72c865d617dc39dfd8162fcd2ce1fac9f401cf9efb504

SHA512
c964d4289206d099310bd5299f71a32c643311e0e8445e35ae3179772136d0ca9b75f5271eaf31efc75c055cd438799cef836ed87797589629b0e9f247424676

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\python313.dll

Filesize
5.8MB

MD5
3aad23292404a7038eb07ce5a6348256

SHA1
35cac5479699b28549ebe36c1d064bfb703f0857

SHA256
78b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25

SHA512
f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\pywin32_system32\pywintypes313.dll

Filesize
132KB

MD5
2a87d04e9e7cbff67e8ea4f6315c0ebb

SHA1
cf5b2bb53b37087eca18e509b8551ed5cb7575d9

SHA256
d011068781cfba0955258505dbe7e5c7d3d0b955e7f7640d2f1019d425278087

SHA512
2138e051ac116d3abe11101c75f8bd8388d7fba89b15e6f82dc35fd78bdd913ed8ba468769f68440ce7834825806281aa15f0023855e3b8248266414d60a4a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\select.pyd

Filesize
31KB

MD5
62fe3761d24b53d98cc9b0cbbd0feb7c

SHA1
317344c9edf2fcfa2b9bc248a18f6e6acedafffb

SHA256
81f124b01a85882e362a42e94a13c0eff2f4ccd72d461821dc5457a789554413

SHA512
a1d3da17937087af4e5980d908ed645d4ea1b5f3ebfab5c572417df064707cae1372b331c7096cc8e2e041db9315172806d3bc4bb425c6bb4d2fa55e00524881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\tcl86t.dll

Filesize
1.8MB

MD5
f84402dad33303b21ee448be2223542a

SHA1
bd2582259aeb45f94cc76437d2c890bdd8acc3da

SHA256
7269609c395716853a95e9b37828cda4ffb03d7cb956ba82147eb18b2e528f5f

SHA512
c26c089866d50ea46ff162560705f584f1590e0b214c54891508c32b3c4388e384813b1a3c6caa6037d4f932ee6dcdf4e3a5b6401386a7be3eb5692c9c524619

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\tk86t.dll

Filesize
1.5MB

MD5
6164b6efb6c6d3752f2746283c4066c5

SHA1
6d31d2c02c7e9c890d34dab32e328144679e2270

SHA256
32e4e077e4a55860dc84ea15d25c168bf1e656973e07fcc2f43d1a7ce440bd49

SHA512
e937ebea0780ae1d7492276cae58b78cee9ff7d0a06f08de716dc823d755938653095f1afdc566513f15e044e09b9aef186a4c137505a05aa38bed111efbf975

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\unicodedata.pyd

Filesize
695KB

MD5
43b8b61debbc6dd93124a00ddd922d8c

SHA1
5dee63d250ac6233aac7e462eee65c5326224f01

SHA256
3f462ee6e7743a87e5791181936539642e3761c55de3de980a125f91fe21f123

SHA512
dd4791045cf887e6722feae4442c38e641f19ec994a8eaf7667e9df9ea84378d6d718caf3390f92443f6bbf39840c150121bb6fa896c4badd3f78f1ffe4de19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\win32\win32crypt.pyd

Filesize
122KB

MD5
94049e023814436e0a3560474f7057d1

SHA1
28ddccee782b9613ce06224e2c80f67fbb2e16c7

SHA256
306022128185b4608e49400b7a3fd5954ff524c201d989833cb3aa5856562e97

SHA512
fcc00194624b668b39ab29d9d07f080668fb564c6558a9ab8e736052fb8ca596803a4b03dee827be915accb65251804a7661e976d314a453806d67dce1269cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34962\zlib1.dll

Filesize
143KB

MD5
4942b3cfa584f1a26653d3752ac0735c

SHA1
7cb68a5ad928172ce7b6f2afc847ae449021b58d

SHA256
908ac77373641d1733fa847c59e0e854088f80252ee544223c6488b119055e9a

SHA512
3bdc27a36632ebde26d47d9c79705f4e1a5f31b2edd783b97fbc9ee1a21291ce542dc7b632ef8df166f3d45456b177616b3175154ca374c8ef35b9e35dc2ae18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv97B5.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv97B5.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv97B5.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv97B5.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv97B5.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv97B5.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
0968d9ac2c82e20ea09d2734aded2d87

SHA1
5756df09536a60b2859d9ce00129cfb7b1bc036a

SHA256
4520b9c968e0ce0d29b66f4da363ecbc3edae06bb1afbb436e8db8eccaefa41e

SHA512
4940a4ed4fb6981dd3f8fd0026e3b5e3ed6a1e3c4e5684fc99f965dcb27a76fe483ef19c8cc295e2593c31d771f5ab9878b050732f4da53498f552e661d362bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
31045df87a1541e269d73818dd4477fc

SHA1
d416e70969b6d83283adacb289ed8c3d1b7c9104

SHA256
39c3405621ecd69e5d8125e2756d5223c0c963b67c7f054edf8213e83562ff25

SHA512
e1583d620386eecc1bd7de0ff3d4bbaea9ee232218336b8276368fa868c6c438cfc8f538e5e0e8b193a0c3358a971ed530f3bc7aaaf7a01629ed86ea3d62144a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
8faa2b3b3754e04b55113d79a31af7cc

SHA1
081eb632504836194b750cb09e36166d18495cc7

SHA256
5072b158deb6973802e06e052764801c58af53ac91cd3260e718ef44fe49569a

SHA512
31bd788064a6d8d3e391de07be0f25f94708a34830a30d5b64786ca2af3dd69526373a0c9bc99422ffb14aa8a8619c3af4aa375abe7ce8f7ea700dfa1b1efb7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
b4e6e92b1927c7608635df505653c310

SHA1
5a99728169e3ad821533d98054509987a97c449f

SHA256
594015518d743c2c47bfdd2e48e332b4e595c190a8205d8af59b12c1663bc39e

SHA512
c6275d478e446d9ea8c3518f981af225d82c1f34cb13a200781094570cb72078496558a724e502ba86688a5520d239dc2b1d000c6fd23a13609549fe839fd4bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\AlternateServices.bin

Filesize
8KB

MD5
30bc9f930e7421cffc52f98c34445517

SHA1
4c8151afdacf89bd2e7230cbb8f79117d6e845b5

SHA256
751c16cfe530cab364029529223d425979e039910af5be75be642bcefd0aa058

SHA512
589f39582998dd21b035eee4ad53ec167b45a1454863fcf635e30a83df27ae11fd455c7e64c6588b00b4ef662b1a5d31ed77ffca4ea6a5feb5cb55b8fc92cda8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\bookmarkbackups\bookmarks-2025-01-09_11_8VjzqSwmtqWutgfS4lkHNw==.jsonlz4

Filesize
1009B

MD5
d09e0770c9a6098005e20c4cb7a240f7

SHA1
1ac27e5428372e8a3567fced290a82ac275ed20e

SHA256
64385dd70b96360672a2d630a06b7e08f2616a225b9af955825836d9c7b73262

SHA512
57f293a8ec263128d0e9c7aa951248695a7b92e808107b1ec442ac2cfdf06b77e21361a3c0c9931f1590bb18c7b8ea07932873ef5400cd495c909466789604de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
28855668edf6b97dd7c2cf765bf523dd

SHA1
af8594fd203faba35b60459bcb1bef9fbfe9e116

SHA256
d4b574ce6e0e838c70d293fb08ce0eb800cd97096f117a5445772f1304b5ff35

SHA512
d2efe7e0961e5b730d2deca282a23c3016d1b77602515809bd2bb2e76d75575c456a13d670e6ba53372c8dfc0c0b49b1f8de839c33ef184f2ed5a97b1121659a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
f3d5fcd81a1ed17eca83a34055c2e34f

SHA1
a70da9a17d2f37789b8a140c7431f608bfc1d47b

SHA256
29c1b4710cc5a5b106c5faeb76603bf7feae1ddc30bf7b758cf781fa428dcf42

SHA512
af5661cf44ac08c7dae2359723b412fd9f397536904465382d13e0066af52b11d00eec6083fd22f0d4a952dabf0882a83551e5a16584a3b1bd4689523739ba98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
8e76c45db63a6711b88ba84e9f89e38d

SHA1
1bcab86df1454db1cbe12c33e5dd8181e24092c0

SHA256
3471cf8b97fd6be0a28c5ac0415f7a05d800e83c5f48b67670281e28fc367248

SHA512
a792f98ccdb3f246b0740b927b1e61d878ecab353b1ea7773e2ed725ac3575eae700c94335d4172dd61b408d68ce54b140525c2e6f1ac299d695597b12b18bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
2dca31b02a1900a51caeff0ae14711b8

SHA1
788b649d57dface0a7ff61af3e007121a2a34856

SHA256
8c165f0726f19cf1d426ae9ec87056500e08a16439840ea8d6dcbc4f4f3d591a

SHA512
e103b4edf2bc0813859046cd4fa5025ff0989814d523cd2286f738ab84f6b50d429a5efa89b431a02e5838f603ef35e5bc22eafc8d7ab701dbf60d0ed5ddf0a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
59KB

MD5
437747e793bfb307ca665a041d5e0fbc

SHA1
a6fd0715fe8be1b13e1d74be24325e0228aeff6f

SHA256
1951d35290e2821eca0a2b26b705306b868d6816ce9a0b19c556397fe78d3ea9

SHA512
8b809a487731511c29257a7b2b75bf1976e859934758895ebde280c9aff8dcf809b2e4004d6dcf4bce4fa0ea2ec77c4980f4d82782b1787126ddd56d9338d0d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
59KB

MD5
1ff497450e380bbf6e2239c7aa63efdb

SHA1
267193a48f25ca008e03f0610fef23fa61f1aac5

SHA256
9f8d9828f5e6c08909fad3254375c702f2179b16de3eb777812316863d127241

SHA512
3f7a9936d062837aaf60270340824234589193dc1ccde76e7b3c27af9df0b88c7e3c53df85fd8e4a5ce2bad968d96885e5d5b608c93fd61425ab4d9605291cc4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
85KB

MD5
5b98a0ea76fea7f802c0b70e0205f995

SHA1
30c24344f270c6cd2dfa7664f5af868420a1a7cd

SHA256
4ae349abc8e4bc01e46429820aa5c91c127ecccc3f483c0d91f3342aebf44a21

SHA512
2b2b828f49929649e177ae6a82fb05388dc1bfc38b1f1ca1eda074e6c7d8a437ad37148db093dc3df992f6b4adfb63c4fc37786474e37543cdf5a39423422805

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\19ced4f7-374a-4297-9ad0-f3dd9de1d864

Filesize
982B

MD5
7f424eced31275cacb694b37309f8b11

SHA1
76b1d30db17dc313775cf67ea510a4576da84971

SHA256
bc8fd51df68d31a00482765b1e410c64de3b8d142623ee1e1262c3cb78a0298c

SHA512
017ab8f61c27ce0dec3aad778aaf1d5a2d73c8105525cf425a13b9523bb7fa1629378a01ae9451b15ccabcc12ab5c498b5b1ac22bbad17890d384368c32556f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\28cc1c75-ae00-4ad5-b9be-0eaab99de299

Filesize
659B

MD5
71dbb74d06eef080fa644baee2c6025e

SHA1
11ec2d2264db131a17ce350c3b8b7689bf61f485

SHA256
cf2d5051e457e4477a8a945cde00354580dcb03a3ac008fb51024ed256da35f4

SHA512
0cd8466db7582816d6dabfc65543a6f86eb2ea27964c381b147db6f27b0a119ca96aba8a73ddb94a768ace4eb434153df5262bba04024d9e1b05c37baff60c84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\df635270-9513-46e9-a4f1-a90ef12e5cc9

Filesize
1KB

MD5
8206efa7593cd26f9b3ebae41cbdb270

SHA1
77200f0fbb553a19ecee64cebcc9256b1f40a27b

SHA256
d94a28e7af5b07b04de1992297233b93bd2fb6c168b3136bc1f1ce9a8de6eea1

SHA512
b5fd64c87aed975e8604cb868d7cfabaef1c4996d35587e0c3b059d16943559852ad57c84426aa9008341fb5a1522946b594048a54d79a9e25f3498fd23973f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\e635166d-d27a-4ee8-b241-eec319e2358e

Filesize
659B

MD5
b00182a0932bc7f6d3b4549e61233ecf

SHA1
9a4b779cf7f75f8ff130a6891b70178fc9e68d82

SHA256
6a4822780dc855e066ed76d2287e9706fe4297c719867ffed64364d7cf9d397a

SHA512
7d6fca53101124dd666877e11dd1164854c764a897168ec7fb26eca180274621deaa6725d75207122700cf2997c8e6254d3b9eb9ebfe62295d93d6846ecf010a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs-1.js

Filesize
10KB

MD5
ebbf21e2bd4c36319f4592ffce082c55

SHA1
5ce370916ee282251818244a3031718c745a568b

SHA256
491f3d50f9e8fa625461d4c1d373e166f2e5e675a055f0fb7410857ce967f899

SHA512
c63a0c50ce52d8c8854d89b5c41199ee9fa04c70c53c26ccaf486171b84e339c246ce3fc01db778369410c01eea9a6301a76200587bf28d43ef8313a06ddae64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs-1.js

Filesize
12KB

MD5
158bde1747f8a243b946db0c4d5ca077

SHA1
7410fff595f76b1623aa688bcb3860fb4e11a8a1

SHA256
e069df40df87ca14a9e3a6620f7f485b423025f08cbeec002c8aec00f0dc9e4b

SHA512
acc80f2d96548a2310bafaf94d5aa3466162da1146abe5d76193959e268b3dd2844f4365b1eebe937cf1bf1f72975698bc2b9a49aec1379f5044b14fadb86511

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs-1.js

Filesize
10KB

MD5
01d00b01286c5f9bd98793bea9dc4231

SHA1
ad76b1bde7d68c879812dafca7648c06ccb532c7

SHA256
a4ce53562bf21049ca4a991468bf9ab2d2d9234f920b2b89cc1ef6fe6725dae0

SHA512
d79dec837130a11dfe98288387bf0932bf3ee735e7382c92a00929f518bb6a216194278db4b6f7e5c2ede362785e99fa250764ead522aa1f95dc2733de131334

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs.js

Filesize
11KB

MD5
31dc2b4215c93a12ae3163b8b4f389cd

SHA1
5ab35abd61d09c659343bdecc27213c3240e1a5c

SHA256
f7e9bfcbd536a37f7789362a61a1fe3c366bb107ac00f3f9416678082efde93f

SHA512
b69658356ef170e9e46238ac9f218583678522f3e56971fa6f41e195bafb12760c15b45512fd11de390e543a290fe4d1b4c848a87ea46045ee372e5da0274aac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
eedbaf4a24a74e8a997662cf8ca83251

SHA1
099c0f630256ac42daa882bf9a55ba6b75221e3c

SHA256
865ba721b21dbf424c2b5d9ad7488d8fb863b85151c7712fac083f0240d9c9b0

SHA512
3b074ee77c98b930c2d7f7ccfba07c76d2f81ea5c8ee64fa685ab84265d117a840f22ecd85f42ba2b1299519b64db282d2e8a77dac97c99f527652d23167b586

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
78c12aed6ffb841ffcad96766882da2a

SHA1
39011746657154fa41d2500c7d7c5fdc0e76b5f8

SHA256
a83f8693440628b999b4addba38bf05876fd40a824e6e18a4cce9d2d8691cc6c

SHA512
72caefc87d6a0037deb492c88ac1b6f48a98b77dc432be2b615c96ce82ba3dc0c572dce417adf374e76259017ddf3da3abb18f8216164792e0286820df56d015

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
452ae70e4bda9c986b5ecd195b55197f

SHA1
c1fcc14da2feb0b7c8f3f0a1f5c52e056ce0a540

SHA256
16238000ceb32352e192842952aca4061dff7ca7aab42195e4de88c6f3630314

SHA512
577f351c39bf5ba77b0bc2995706353b26f7b952564d311944cf12a0cb2af62a62e19a564514cabbd35e018dccd43767c6772fdb109e18111952b08a375f9d4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
ad3b79619c17548783dc3bfd9e6bc8d3

SHA1
cf57eb6a71a0ba59bcf5d27138fe06fc9acef781

SHA256
eeee0e0f432cd6ad4fc3e92c86a479fe7e4d49e9e7fb41220a849d29fcf0b665

SHA512
6053f6e72e40884be4ff2625d366e899c868e407fb66e43982d27849b4ff0a58989328a290a6d14fda136de12190c5a4b52e3cde080fd75f0bc1578bae9d3025

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
45KB

MD5
614098ae3f85c0145b296a41d8bd5b1f

SHA1
ef9af48c1c4cbeeba1c096ac1c79c438bdf971c1

SHA256
e00b3f90c8bcaa9b763b3b175e917273f6ad2c396443344caff2bd0754664c19

SHA512
4011cf5dfa6b6532335741eb8a2d31420e626b5bd09b1c05aa1043b46551580dd6bc9e6a80bd8dddbf742cebbbaa0c2d73134e6cf51e65c045e4eb77daedfa35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
47KB

MD5
5e7305838872e61d148d0c599bd86e92

SHA1
2caf9134dd890e7d09090e1494d99e6c82e12098

SHA256
9abefa1d7e269d69c2faece3ad1ee47b5f00915120613344a82dc89f80869147

SHA512
be110e7c69982eadb18eb3ef2fbe67c3aef94e71e2b29fe30f4032da5081240d44a515ed29dc4454e69faf9384f435413b4e84e9ff429003e0475fb2ea1e148a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
48KB

MD5
119fae1bd90be52d5d7257837e4c16df

SHA1
41325c83dd20923d10066731892ec3f7b64f7176

SHA256
ac0d24db1c43937a10045095e1b5e53e97544a94f5a918721aad44f0c5a5afba

SHA512
c140dbcfc92d16022e99af9fd0e3f5a15d35051c7604cccf352d126c1f3863e5f9c35ea31bd8652828414ac86dbd27c8f63b9bec9963808efca3358fbd6d951f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
49KB

MD5
ad5e3afeea07b131cd86da7cdd875809

SHA1
7f6398170c2a5a4fca3ef52e2e9ebd10df2e6192

SHA256
00bd62e32572a70000834319d70d79326c88cddc240eb0adc52040195ca614dd

SHA512
fedd38173c4377b557b51da8062b63526ccbec8166fb03ffc549720d947a740dad4b63acd570436be6d7ab9cb5107ece128fec315ba6478b36bcde728d192f7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
592KB

MD5
e99fe449909166446d8bc6f2a732d3c4

SHA1
c39855659f5692acf990c3f58d351237d8be410d

SHA256
9407475c4e94ddd4c0829570f0fa7fc293846213895681582c6d1f68b319f89f

SHA512
6d99df66ee74b4e304a06ff398464194edfd9efd82d2141810932cec259227a856df9e1a1207106c610442a930316e8c94b3a0ff75855a62fa91e776c160b5a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
592KB

MD5
e7aa09dfd28ea92d298f482cef2ed29b

SHA1
e0b532653ffbdbc6e78f3a68fc67a2ff7cf19711

SHA256
e754833f3975001a7907f3461a4ce8b27d09a2d2b1bd30c94fa3102165da3be0

SHA512
d273a59cc5f896f28221bb23ade8f97afbf949823bfaee385920524031734744ea9e24971786ecd40aaf425524777c86741147bb5ae4546f65715941dda6b64c

Download Submit
C:\Users\Admin\Downloads\7z2409-x64.bwpNllRX.exe.part

Filesize
1.6MB

MD5
6c73cc4c494be8f4e680de1a20262c8a

SHA1
28b53835fe92c3fa6e0c422fc3b17c6bc1cb27e0

SHA256
bdd1a33de78618d16ee4ce148b849932c05d0015491c34887846d431d29f308e

SHA512
2e8b746c51132f933cc526db661c2cb8cee889f390e3ce19dabbad1a2e6e13bed7a60f08809282df8d43c1c528a8ce7ce28e9e39fea8c16fd3fcda5604ae0c85

Download Submit
C:\Users\Admin\Downloads\7z2409-x64.exe:Zone.Identifier

Filesize
579B

MD5
aa96491c82a2f7213450426822d3c596

SHA1
7826a1e402af3592f34fa45b962be4140ef9ceee

SHA256
06932b226fa87bd43e423272a78f59ae2c8ab8e3ee706b6bb887fe26f8a5a1d6

SHA512
96ffda9f40446f87f730d734a870bfd9f79b9606f4e7d717a146ba6c942fd6967ac91f33e1b8de83cc79191af8631c04292e757bc60784cc9e07d33580c2d6e9

Download Submit
C:\Users\Admin\Downloads\SteamSetup.aN_S9UcW.exe.part

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier

Filesize
151B

MD5
08099574fcdc80e39b073884dd0afeef

SHA1
c65a4de2d471bbf0a6d7b2e024ba06200028c70e

SHA256
2d5e628b53fa6333f48c97b65f20dbac3af661e52b3d1cc071b6f0b0c5bd2b84

SHA512
724565be26f1bdd9bbf10dc7531015dab0e2540d71c2f688c1a29ab45c83e7d9a21b64c60d8997203ae1000a85ee26a252855591775f0270306bc54fc154b7ea

Download Submit
C:\Users\Admin\Downloads\WareStore.2.0.1.exe:Zone.Identifier

Filesize
620B

MD5
5f896822943477a0474e6a6dd8c3b705

SHA1
3607ced3782c74755de2d1e31081abaa91195636

SHA256
1bafe0abf309f18ffbc0ffd38eeafb5ec5a7d5b393311cf7eac07fb13dab6cc9

SHA512
65e7642da80449ad197db5f8900c5f965da43b1f42f1dda82a4ab9e35b4367039b2883ec49ad03c375fa248aa0c3033c027c2a05fb0d252757a52dcce316b03e

Download Submit
C:\Users\Admin\Downloads\WareStore.fZfz35q7.2.0.1.exe.part

Filesize
17.6MB

MD5
727f1707ca5287b88b5b70d6bbd1eb6b

SHA1
27875c9bceebbdb16d0ad04cdec0fa216cf13f5a

SHA256
534c4826cc04c395bf55f9f60ba973f49c54ad8a5acd180ad8837a5461ce35c3

SHA512
c545c686730a0976007783e49ff7c539f152da470f27ec620b2f34381ff153d3ba95a00ac6e9662c657f12eeacd551a7e6113e2993e576091f8d3845356f31e5

Download Submit
C:\Users\Admin\Downloads\grRGzMpV.nigsnqHl.rar.part

Filesize
17.1MB

MD5
d86ec8888788384c4319c26b2ba8d301

SHA1
6be837451613f109440ef0db83192e6d52baf4dc

SHA256
8707feabd860b6ddc92ae6d802f195beecb09b66631ce870273c403979897584

SHA512
110503b4053dd81dbaf17ef3ff061c5ca6dcdbcebfc70ba3fb62cac714a419d7815d6778c8de9a215a0bb1e3bfb1a149815e4bbee4800e2fe246b8043063017c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5932_1754431781\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5932_1754431781\manifest.json

Filesize
1001B

MD5
2ff237adbc218a4934a8b361bcd3428e

SHA1
efad279269d9372dcf9c65b8527792e2e9e6ca7d

SHA256
25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827

SHA512
bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

Download Submit
memory/1108-15767-0x00000242A0A30000-0x00000242A0ADF000-memory.dmp

Filesize
700KB

Download
memory/1108-15766-0x00000242A0540000-0x00000242A062A000-memory.dmp

Filesize
936KB

Download
memory/1664-1055-0x00007FFCA2920000-0x00007FFCA2949000-memory.dmp

Filesize
164KB

Download
memory/1664-1064-0x00007FFCA2920000-0x00007FFCA2949000-memory.dmp

Filesize
164KB

Download
memory/5932-15758-0x000001D5B6C20000-0x000001D5B6CCF000-memory.dmp

Filesize
700KB

Download
memory/6064-15609-0x0000000000F20000-0x00000000013D2000-memory.dmp

Filesize
4.7MB

Download
memory/6184-17117-0x00007FFC8E3D0000-0x00007FFC8E3F9000-memory.dmp

Filesize
164KB

Download
memory/6316-15656-0x00007FFCB0BB0000-0x00007FFCB0BB1000-memory.dmp

Filesize
4KB

Download
memory/6316-15765-0x0000017099340000-0x000001709942A000-memory.dmp

Filesize
936KB

Download
memory/6316-15657-0x00007FFCB2240000-0x00007FFCB2241000-memory.dmp

Filesize
4KB

Download
memory/6676-17109-0x000000006E8F0000-0x000000006FC31000-memory.dmp

Filesize
19.3MB

Download
memory/6676-16095-0x000000006E8F0000-0x000000006FC31000-memory.dmp

Filesize
19.3MB

Download
memory/6676-16028-0x000000006E8F0000-0x000000006FC31000-memory.dmp

Filesize
19.3MB

Download
memory/6676-15812-0x000000006E8F0000-0x000000006FC31000-memory.dmp

Filesize
19.3MB

Download
memory/6676-15770-0x000000006E8F0000-0x000000006FC31000-memory.dmp

Filesize
19.3MB

Download
memory/6676-15757-0x000000006E8F0000-0x000000006FC31000-memory.dmp

Filesize
19.3MB

Download
memory/6676-17223-0x000000006E8F0000-0x000000006FC31000-memory.dmp

Filesize
19.3MB

Download
memory/6676-17118-0x000000006E8F0000-0x000000006FC31000-memory.dmp

Filesize
19.3MB

Download
memory/6676-17152-0x000000006E8F0000-0x000000006FC31000-memory.dmp

Filesize
19.3MB

Download
memory/6992-17201-0x0000022FA7C60000-0x0000022FA7D4A000-memory.dmp

Filesize
936KB

Download