14224256268d10452893cae5d330262b6dd8f854e7f2e8bfbc2d050eb0d0f80f

Analysis

max time kernel
726s
max time network
729s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
10-01-2025 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamtoolsSetup.exe
Size

2.7MB
MD5

5321690369d17547a978cd28f45f5ea6
SHA1

173b7be12e9ef3af91e2a7cbfe63a313134c9e32
SHA256

14224256268d10452893cae5d330262b6dd8f854e7f2e8bfbc2d050eb0d0f80f
SHA512

4f2aa0801d685195570c62ce19335465e85d19f04335fe56945207482893d1181c04bbfe18230bf0a490f8f5cf2998bee7f2c1c17146126555dd780d2dd085b4
SSDEEP

49152:RKQJrfc1y4pY+CvSs0AhuEySsxsiMRPPRRw69XmYya:xwvEyVsiMRPPRRw69XmYya

Score

8^/10

steam defense_evasion discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 24 IoCs

pid	Process
1576	SteamSetup.exe
344	steamservice.exe
4072	steam.exe
4932	steam.exe
1192	steamwebhelper.exe
4260	steamwebhelper.exe
4108	steamwebhelper.exe
2540	steamwebhelper.exe
1144	gldriverquery64.exe
1612	steamwebhelper.exe
1048	steamwebhelper.exe
2084	gldriverquery.exe
2372	vulkandriverquery64.exe
4200	vulkandriverquery.exe
2844	steamwebhelper.exe
1876	steamwebhelper.exe
4976	steamwebhelper.exe
4756	steamwebhelper.exe
1088	steamwebhelper.exe
2348	winrar-x64-701.exe
664	winrar-x64-701.exe
404	winrar-x64-701.exe
3036	winrar-x64-701.exe
5932	SteamSetup.exe

Loads dropped DLL 64 IoCs

pid	Process
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
4260	steamwebhelper.exe
4260	steamwebhelper.exe
4260	steamwebhelper.exe
4932	steam.exe
4932	steam.exe
4108	steamwebhelper.exe
4108	steamwebhelper.exe
4108	steamwebhelper.exe
4108	steamwebhelper.exe
4108	steamwebhelper.exe
4108	steamwebhelper.exe
4108	steamwebhelper.exe
4108	steamwebhelper.exe
4108	steamwebhelper.exe
2540	steamwebhelper.exe
2540	steamwebhelper.exe
2540	steamwebhelper.exe
4932	steam.exe
1612	steamwebhelper.exe
1612	steamwebhelper.exe
1612	steamwebhelper.exe
1048	steamwebhelper.exe
1048	steamwebhelper.exe
1048	steamwebhelper.exe
1048	steamwebhelper.exe
2844	steamwebhelper.exe
2844	steamwebhelper.exe
2844	steamwebhelper.exe
4932	steam.exe
1876	steamwebhelper.exe
1876	steamwebhelper.exe
1876	steamwebhelper.exe
1876	steamwebhelper.exe
4976	steamwebhelper.exe
4976	steamwebhelper.exe
4976	steamwebhelper.exe
4976	steamwebhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	SearchIndexer.exe
File opened (read-only)	\??\O:	SearchIndexer.exe
File opened (read-only)	\??\P:	SearchIndexer.exe
File opened (read-only)	\??\u:	SearchIndexer.exe
File opened (read-only)	\??\a:	SearchIndexer.exe
File opened (read-only)	\??\B:	SearchIndexer.exe
File opened (read-only)	\??\g:	SearchIndexer.exe
File opened (read-only)	\??\k:	SearchIndexer.exe
File opened (read-only)	\??\X:	SearchIndexer.exe
File opened (read-only)	\??\Z:	SearchIndexer.exe
File opened (read-only)	\??\z:	SearchIndexer.exe
File opened (read-only)	\??\G:	SearchIndexer.exe
File opened (read-only)	\??\q:	SearchIndexer.exe
File opened (read-only)	\??\R:	SearchIndexer.exe
File opened (read-only)	\??\W:	SearchIndexer.exe
File opened (read-only)	\??\T:	SearchIndexer.exe
File opened (read-only)	\??\v:	SearchIndexer.exe
File opened (read-only)	\??\e:	SearchIndexer.exe
File opened (read-only)	\??\m:	SearchIndexer.exe
File opened (read-only)	\??\N:	SearchIndexer.exe
File opened (read-only)	\??\S:	SearchIndexer.exe
File opened (read-only)	\??\p:	SearchIndexer.exe
File opened (read-only)	\??\y:	SearchIndexer.exe
File opened (read-only)	\??\i:	SearchIndexer.exe
File opened (read-only)	\??\j:	SearchIndexer.exe
File opened (read-only)	\??\K:	SearchIndexer.exe
File opened (read-only)	\??\o:	SearchIndexer.exe
File opened (read-only)	\??\Y:	SearchIndexer.exe
File opened (read-only)	\??\h:	SearchIndexer.exe
File opened (read-only)	\??\J:	SearchIndexer.exe
File opened (read-only)	\??\n:	SearchIndexer.exe
File opened (read-only)	\??\x:	SearchIndexer.exe
File opened (read-only)	\??\t:	SearchIndexer.exe
File opened (read-only)	\??\l:	SearchIndexer.exe
File opened (read-only)	\??\L:	SearchIndexer.exe
File opened (read-only)	\??\Q:	SearchIndexer.exe
File opened (read-only)	\??\r:	SearchIndexer.exe
File opened (read-only)	\??\A:	SearchIndexer.exe
File opened (read-only)	\??\b:	SearchIndexer.exe
File opened (read-only)	\??\F:	SearchIndexer.exe
File opened (read-only)	\??\H:	SearchIndexer.exe
File opened (read-only)	\??\s:	SearchIndexer.exe
File opened (read-only)	\??\U:	SearchIndexer.exe
File opened (read-only)	\??\w:	SearchIndexer.exe
File opened (read-only)	\??\D:	SearchIndexer.exe
File opened (read-only)	\??\E:	SearchIndexer.exe
File opened (read-only)	\??\I:	SearchIndexer.exe
File opened (read-only)	\??\V:	SearchIndexer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
189	discord.com
198	discord.com

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_lstick_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_rb_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\joyconpair_left_sl_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_lstick_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_060_vehicle_0150.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\hp_l4.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_color_button_a_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_r_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\DialogCheckForUpdates.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\Receipt_PayPal_Success.res_	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\223350_icon.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0409.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_rstick_left_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_ring.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steambootstrapper_schinese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_button_share.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7\locales\sk.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\294420_header.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\steamui_swedish-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\icon_button_back_over_sm.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_dpad_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0415.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_l4_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\newturnsnotification.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_l2_soft_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_dpad_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\gift_wizard_heart.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_ltrackpad_swipe_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_button_x_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0050.png_	steam.exe
File opened for modification	C:\Program Files (x86)\Steam\userdata\1856190775\config\localconfig.vdf.async4932.tmp	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_color_button_a_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_l_down_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_ring_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_rtrackpad_swipe_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_lstick_down_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_lstick_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_button_select_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\layout\gamespage_details_subheaderright.layout_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\libswresample-5.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_110_social_0090.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0406.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\icon_speaker.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_down_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_lt_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_110_social_0130.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\broadcast\broadcast_live_grey.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_r_touch_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_l_left_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_dpad.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\InviteFriendResultSubPanel.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\mr.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0090.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\minithrobber02.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_buttons_s_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_rstick_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0110.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\btnStdTop.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_l_up_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\steampops_spanish-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_button_create_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\22150_library_600x900.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0451.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0339.png_	steam.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1192_899263176\_platform_specific\win_x64\widevinecdm.dll	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1192_899263176\LICENSE	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1192_899263176\manifest.json	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1192_899263176\_metadata\verified_contents.json	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1192_899263176\manifest.fingerprint	steamwebhelper.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1192_899263176\_platform_specific\win_x64\widevinecdm.dll.sig	steamwebhelper.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a17f59a8163db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MTS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MTS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008da708e8163db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057f3468f8163db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d93346908163db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c73a61908163db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb72309b8163db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2T	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steam.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steam.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink	steam.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\DefaultIcon	steam.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam\DefaultIcon	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steam.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam\URL Protocol	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\Shell\Open\Command	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4248760313-3670024077-2384670640-1000\{F7369804-70F2-4AE5-86DE-76B60A6F2C6B}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\ = "URL:steamlink protocol"	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\URL Protocol	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam\Shell\Open\Command	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Wallpaper Engine (Online).rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 468453.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 773875.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3532	chrome.exe
3532	chrome.exe
1160	msedge.exe
1160	msedge.exe
3088	msedge.exe
3088	msedge.exe
3788	identity_helper.exe
3788	identity_helper.exe
3408	msedge.exe
3408	msedge.exe
1632	msedge.exe
1632	msedge.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
1576	SteamSetup.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4932	steam.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 45 IoCs

pid	Process
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeSecurityPrivilege	344	steamservice.exe
Token: SeSecurityPrivilege	344	steamservice.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe
Token: SeShutdownPrivilege	1192	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	1192	steamwebhelper.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
4932	steam.exe
4932	steam.exe
4932	steam.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe
1192	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1576	SteamSetup.exe
344	steamservice.exe
4932	steam.exe
5176	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
2348	winrar-x64-701.exe
2348	winrar-x64-701.exe
2348	winrar-x64-701.exe
664	winrar-x64-701.exe
664	winrar-x64-701.exe
664	winrar-x64-701.exe
404	winrar-x64-701.exe
404	winrar-x64-701.exe
404	winrar-x64-701.exe
3036	winrar-x64-701.exe
3036	winrar-x64-701.exe
3036	winrar-x64-701.exe
5932	SteamSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 2512	3532	chrome.exe	81
PID 3532 wrote to memory of 2512	3532	chrome.exe	81
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 4792	3532	chrome.exe	82
PID 3532 wrote to memory of 3576	3532	chrome.exe	83
PID 3532 wrote to memory of 3576	3532	chrome.exe	83
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84
PID 3532 wrote to memory of 548	3532	chrome.exe	84

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:4156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd65e6cc40,0x7ffd65e6cc4c,0x7ffd65e6cc58
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1692 /prefetch:2
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4716,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5464,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5364 /prefetch:2
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4308,i,2955827220484161592,6392738980589810696,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:4448

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd60863cb8,0x7ffd60863cc8,0x7ffd60863cd8
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Users\Admin\Downloads\SteamSetup.exe
  "C:\Users\Admin\Downloads\SteamSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1576
- - C:\Program Files (x86)\Steam\bin\steamservice.exe
    "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13297826978525316044,2817934776049463131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:2352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4072
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4932
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=4932" "-buildid=1733265492" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1192
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1733265492 --initial-client-data=0x298,0x29c,0x2a0,0x294,0x2a4,0x7ffd6589af00,0x7ffd6589af0c,0x7ffd6589af18
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4260
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1580,i,12167468785826322557,1844052598067348149,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1564 --mojo-platform-channel-handle=1572 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4108
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2148,i,12167468785826322557,1844052598067348149,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2152 --mojo-platform-channel-handle=2144 /prefetch:11
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2540
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2820,i,12167468785826322557,1844052598067348149,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2824 --mojo-platform-channel-handle=2816 /prefetch:13
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1612
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,12167468785826322557,1844052598067348149,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3096 --mojo-platform-channel-handle=3088 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1048
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=3680,i,12167468785826322557,1844052598067348149,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3684 --mojo-platform-channel-handle=3676 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2844
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3812,i,12167468785826322557,1844052598067348149,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3708 --mojo-platform-channel-handle=3824 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1876
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4048,i,12167468785826322557,1844052598067348149,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=4052 --mojo-platform-channel-handle=4044 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4976
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4292,i,12167468785826322557,1844052598067348149,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=4248 --mojo-platform-channel-handle=4408 /prefetch:1
      4⤵
      Executes dropped EXE
      PID:4756
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3984,i,12167468785826322557,1844052598067348149,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3500 --mojo-platform-channel-handle=4020 /prefetch:10
      4⤵
      Executes dropped EXE
      PID:1088
- - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
    .\bin\gldriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:1144
- - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
    .\bin\gldriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2084
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
    .\bin\vulkandriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:2372
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
    .\bin\vulkandriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4200

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E0
1⤵
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd60863cb8,0x7ffd60863cc8,0x7ffd60863cd8
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - NTFS ADS
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5932 /prefetch:2
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6948 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1540
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7332 /prefetch:1
  2⤵
  PID:3932
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11354833066180827783,9903055509653201271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:2156
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:404
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:664

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Enumerates connected drives
PID:6004
- C:\Windows\System32\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5156
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2276 2296 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
  2⤵
  - Modifies data under HKEY_USERS
  PID:5904
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2204 636 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
  2⤵
  - Modifies data under HKEY_USERS
  PID:3540

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4072

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6c4456a4f21b4c4895ec10d66d8921a9 /t 5924 /p 2348
1⤵
PID:952

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b31ed03170674830b7fb881c8746f041 /t 3180 /p 664
1⤵
PID:5520

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\dc2b03336556427b8595551d074e5093 /t 1416 /p 404
1⤵
PID:6072

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\faf064b8b3d04bb9aaf17ce0051b6f7f /t 3408 /p 3036
1⤵
PID:5388

C:\Users\Admin\Downloads\SteamSetup.exe
"C:\Users\Admin\Downloads\SteamSetup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\appcache\librarycache\1161040_icon.jpg

Filesize
638B

MD5
7ecdaf8a54ec52b20640a88527512903

SHA1
3133a4d748ad3be61fe9db759339cd5de73339b5

SHA256
7bd8b75aec0a4d4a377f3ca3a023fd8b7c5fc7dc6a2a66d17f8cdfe5b731ab0c

SHA512
60ae2031eed0c38264f0d8db22a9b6efeb3f80c791e916e15a1730853162d56e0da014dbd93a5479bae4f3bdd5705ca89be70c90574a524abd1c276ed5c55a2d

Download Submit
C:\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.5MB

MD5
ba0ea9249da4ab8f62432617489ae5a6

SHA1
d8873c5dcb6e128c39cf0c423b502821343659a7

SHA256
ce177dc8cf42513ff819c7b8597c7be290f9e98632a34ecd868dc76003421f0d

SHA512
52958d55b03e1ddc69afc2f1a02f7813199e4b3bf114514c438ab4d10d5ca83b865ba6090550951c0a43b666c6728304009572212444a27a3f5184663f4b0b8b

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
6e6a2b18264504cc084caa3ad0bfc6ae

SHA1
b177d719bd3c1bc547d5c97937a584b8b7d57196

SHA256
f3847b5e4a40d9cf76df35398bb555117dfe3626c00a91f2babdedb619d6ad53

SHA512
74199ff275400b451642cde0a13b56709735676959d65da11ac76dd645ab11dac5de048ff7ede0cb8adb3a3056b3ecbeb3dc7481bac3768d02051e564c74b679

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
12KB

MD5
71454285d100d9d34e5080f602b28746

SHA1
55811dafe79e316e013ad41297aa8c06a71fe375

SHA256
e2848f6ee5572064e346ccc3859c21e9c3a59d79ee407ea03576edfb82b3d903

SHA512
76a8d46f851d9807368f370d6fb5ce8f17ed0125cf8fc8138907a388714f6247c33e8fefef9646df02952409494f7b6d58191e0b7f299edb1e4b4cfc4bcbb97f

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
13KB

MD5
30606da90089d204479f0e8a4545fa6d

SHA1
bff5f7be5be545dfaa9e70efa8519e43db479e77

SHA256
ba90fff4975fe05d5af0a54a66b8f36585747da1515ebaf58e871f41b22f982a

SHA512
a6364a56aabf48af5438493ede36b04845e87405c8954fa3ebf3c4f7a2165fa47dae1d7287e90b18fa53dafb74e80ae8f48e69d7bf0739bf53fde60b9bd3069a

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
a2ec2e91c3ef8c42e22c4887d032b333

SHA1
e2c738a2e9400535b74e2263c7e7d1ecefe575f2

SHA256
8f9f970835f133258a7f740126012439385bbaa5a1d6a9d0d967a390977441c3

SHA512
b069d241efb19e09ec8b5e60ef6c43e00d5cc0f774b9340127c2180356dd1964ac625c1afdfaee5f99e72b26f56046fc329aadbbc365b403af765a55e9c9aab3

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf~RFe5ac322.TMP

Filesize
184B

MD5
3cdebc58a05cdd75f14e64fb0d971370

SHA1
edf2d4a8a5fc017e29bf9fb218db7dd8b2be84fe

SHA256
661f122934bbc692266940a1fe2e5e51d4d460efb29d75695b8d5241c6e11da7

SHA512
289c40fae5ec1d3dd8b5b00dd93cf9cada2cb5c12bcfefea8c862ddf0a16dced15d6814dad771af9103b3a5d3016d301ee40058edde3fdea30d9767146d11cd6

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
0340d1a0bbdb8f3017d2326f4e351e0a

SHA1
90d078e9f732794db5b0ffeb781a1f2ed2966139

SHA256
0fcd7ae491b467858f2a8745c5ecdd55451399778c2119517ee686d1f264b544

SHA512
9d23e020875ed35825169a6542512ec2ffdb349472a12eb1e59ddc635e57c8fd65fa919873821e35c755aa7d027c9a62d3d0fa617340449d7b2c4cf8dd707e93

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
4c81277a127e3d65fb5065f518ffe9c2

SHA1
253264b9b56e5bac0714d5be6cade09ae74c2a3a

SHA256
76a6bd74194efd819d33802decdfddaae893069d7000e44944dda05022cfa6d9

SHA512
be077b61f3b6d56a1f4d24957deaf18d2dff699bda6569604aac4f1edb57c3cfd0abc5e2a67809f72e31a90b4aed0813536c153886da2099376964c60e56001a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
2158881817b9163bf0fd4724d549aed4

SHA1
c500f2e8f47a11129114ee4f19524aee8fecc502

SHA256
650a265dffdc5dc50200bb82d56f416a3a423eecc08c962cfd1ba2d40a1ff3f7

SHA512
f3594aad9d6c50254f690c903f078a5b7a58c33bd418abdad711ebb74cfbdb5564679593e08fb2d4378faaf4160d45e3d276ba1aa8a174ed77a5791bcac46f28

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
da6cd2483ad8a21e8356e63d036df55b

SHA1
0e808a400facec559e6fbab960a7bdfaab4c6b04

SHA256
ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

SHA512
06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
9e62fc923c65bfc3f40aaf6ec4fd1010

SHA1
8f76faff18bd64696683c2a7a04d16aac1ef7e61

SHA256
8ff0f3cbdf28102ff037b9cda90590e4b66e1e654b90f9aea2cd5364494d02b7

SHA512
c8ff15373b37e848e6239a82424569e77c82a5fc557d17e7d2ed1d0d2b2f7d026cc1e2bc98cb5ee945c02cfefb82803c23fa6a26f48ff0adcf762f94cd5dd035

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
10c429eb58b4274af6b6ef08f376d46c

SHA1
af1e049ddb9f875c609b0f9a38651fc1867b50d3

SHA256
a1f6ba57ee41e009d904905c0ce5e75a59ee6790e08542561303109e1faafa13

SHA512
d8760f61760bffd8671b727d386ae220e7e6e68829a01553cfd5eb60ef8bd1d7c1b25e7b17a6db5bd17ba6712ef44999726764459318e784843c73bc4facaf46

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
5c026fd6072a7c5cf31c75818cddedec

SHA1
341aa1df1d034e6f0a7dff88d37c9f11a716cae6

SHA256
0828572e4fa00c186dbf1d9072a6154d65cb499c6a37e338f3305f77a2fee382

SHA512
f9d28714b2a05f8d9025f1692e4d7e8baa6daf6176353f65646a38814a242ef2adededa44419edd69f10cf96ffba506dab7cb6e52111457bf69cffef12174b12

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
189ba063d1481528cbd6e0c4afc3abaa

SHA1
40bdd169fcc59928c69eea74fd7e057096b33092

SHA256
c0a7a1df442ac080668762df795c72aa322e9d415c41bd0a4c676a4dc0551695

SHA512
ce59ad9b17bab4de1254e92ce4fe7d8c8242832f62ab382e8f54199a9932cd11b5800cc33895441426373d5210cc74104e0271b721a7e26ed400b716ae4d5903

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_indonesian.txt

Filesize
4KB

MD5
1514d082b672b372cdfb8dd85c3437f1

SHA1
336a01192edb76ae6501d6974b3b6f0c05ea223a

SHA256
3b3c5c615fd82070cc951ab482d3de8cb12df0b3df59fbd11f9d3271fa2fbca4

SHA512
4d41c945ce7c94746875b0dbceb14811d4966de4e97fe047406a304162fde7e1e2a16367fc2e43978e2e5aa66749f036b4444aa2312673c2cc3af296e8b77f55

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_korean.txt

Filesize
4KB

MD5
202b825d0ef72096b82db255c4e747fa

SHA1
3a3265e5bbaa1d1b774195a3858f29cea75c9e75

SHA256
3d1399f5323a3ece1b1a8b3b31f8fd7f50c3bd319ab3f1c38c6e347452c95314

SHA512
e8fc7cc09f431301d22a07b238179ee053505090e3c4db30ead061513fe7159f1fe8b80efc93f4597fe00f01087bbe0bb2231e13693d72c8def138657cb91566

Download Submit
C:\Program Files (x86)\Steam\userdata\1856190775\7\remote\sharedconfig.vdf

Filesize
164B

MD5
607dee05303c350f4ec260519ea57594

SHA1
5c5ed6d8295c7f9d071519c1e4d8778a1b00ae32

SHA256
fbfc72a1e274879c7a90caab92c6cafec8f5a4babb930fdd6fff8c97822e6c24

SHA512
da625a851242c1a6e9af57824aa0847fd08d00572e3743591ed539e06016bb32f6f6a881116d726f097f4641fb3972ded7893c235a6e9d322dce12f7cc940d37

Download Submit
C:\Program Files (x86)\Steam\userdata\1856190775\config\localconfig.vdf

Filesize
3KB

MD5
b50a16940fc27f5136591cbf4ee1273b

SHA1
c3e001b27724d4a440c43601a9398c43aab1c600

SHA256
8a6a8459f748390228954b67a0d843f6d3ea182034bfdc56d86382d406f2c8d4

SHA512
a735e5c0a50919c8d531f42831e7f020da99d45c49bddf1c8fe3e8d97c4f7b0da016495baf593313afb82ab7a14115f738c435b746d85c67049d3eeb11ff90de

Download Submit
C:\Program Files (x86)\Steam\userdata\1856190775\config\localconfig.vdf

Filesize
4KB

MD5
18e12b78de5db79b3380882c91caa380

SHA1
30b95285532230fd29d979fb05b1ace9b40b80db

SHA256
7e352a4ce014eb3efe122ea8c06c91a25974ffa761c5c6c355db27f940b7be40

SHA512
106c7681a61af7e48bc17b0d8ee34639f90b717caa760c5a8a3e8cc2205cae323b5fc92edd60a87836df3643b38ff1ef2f16030a33d20fd1a0b14fa8a530b6a0

Download Submit
C:\Program Files (x86)\Steam\userdata\1856190775\config\localconfig.vdf

Filesize
29KB

MD5
76a1d3a7bbd17cab7b584a74b4c7f31b

SHA1
b478669734206738306e7604321994432c5d5315

SHA256
53f1060a842672df283c955508d8b8e5c9e56f9c49083d2144edc146de1f56ce

SHA512
57f062a5e9172eb3f54594c8d6a20afdf696e16f2c78b0905adc27382aecdf3e6fde094d63496765f7c6355fd2325dbe772aeb0d9ca83c6a80ebfd0b13a8fe69

Download Submit
C:\Program Files (x86)\Steam\userdata\1856190775\config\localconfig.vdf

Filesize
3KB

MD5
d72a1686e8acfe80b8f9b20b673edee5

SHA1
7cae6ddfb134dbc62dea07e7b93899505fcec661

SHA256
3cb67a07f3ce7aad850a1d0f3202533e314fc70213a1c207528474ef2d42b27a

SHA512
b29a238a76aff1e9081869a64eb0dccf80516d39a441ac631f1fcb5cc2a38b4d27c2d4bb6d00b72eb1fc1d797e15ac19047cb6e49bbcef81086435d37f7df0ef

Download Submit
C:\Program Files (x86)\Steam\userdata\1856190775\config\localconfig.vdf

Filesize
3KB

MD5
86407fe6d18dc664d867e137f7d9e4d7

SHA1
e4667f7e38b06d23feb5f9ed9bbdc6fdb274e63c

SHA256
08e5a8ede01545e4f61d11ca45266b495ba5ae6a88b713c29b55cff6db6f90b0

SHA512
9b1dcad36651b682e080a68c3792367cfdbdd23f6321ee792a184616d9f87e8cb2d75f7d4b057fb3a872172d01a51381195fa3f537e8c5225cd1afa4e700af0a

Download Submit
C:\Program Files (x86)\Steam\userdata\1856190775\config\localconfig.vdf

Filesize
30KB

MD5
b688e5f088aad0cdb43b0d36da3be513

SHA1
289fc6a314b207d0e7c78a8fad5208ba3fe479ae

SHA256
2f6221d06d7807a80056bb16bb49e51789d2f04436496d1a0022f76ac5d2d872

SHA512
ead4e84e10853814dab3dbab4df9c6b80043d23166a5cb010708c5a4cb8a640d60145c6e05a4bc7a14554acb71f2a42cbb110db6a0eeb195b5dff24b85b958e7

Download Submit
C:\Program Files (x86)\Steam\userdata\1856190775\config\localconfig.vdf~RFe5c2fc2.TMP

Filesize
247B

MD5
2be022463d9061b9d1cb7fc7c16a9268

SHA1
815dccbd49f583887a7c709a840fb55c6e97f77d

SHA256
1538053ff1b838145f14fd0973d63d6443f80b3fb068dd7b8f8f4afe37a826b5

SHA512
184cbff5a7ef580da2c544c0282f723b08d8175570a3c735d2de0debaed0fb461a2dfc8e16d38377e072f8f12714156e6c377f72cfcd1e9de8e9a7dbdb50171d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0ac84c4a157ab381606dfb7af100bc69

SHA1
068b16681ed4429f0f48c132dc13207d043e37e8

SHA256
945e8c8fe0ef0ab150977ba2720bda7249fe6304096b3371b4572161ffb47e7a

SHA512
c4a971793957fe7c07ea304a30782c2c37b412c7e9bbed1ac7b5cbf41bb4bddfb5dd3af646c1fab337e5bb1da4e5583edf953ae5e4b3756a1f76551dab3a1b27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
f0537cc08d54bc5dff11149a056b7119

SHA1
3a703e62b120e7f92f6f01a33dd768de86cccd65

SHA256
f9d7ac1746e72247f56ed54cc15dbc8a33d8c6a3350994585b1835ec00efb643

SHA512
cbefd38c6d8a5848ede915c2902faecea9c2f15c083035bdc581b841d61312fe8b9ab16414a6a53c99202524cc659af7e6f3ff9e517ffe1153d65434e631758c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4244b16134349d3dc78eff29352969b1

SHA1
f601f02cebcee2249967eec8070cfd546e040966

SHA256
aa7b7ae0489d8781e4427facd750df5eb1d151d5187055312d6ae7fedc91ed90

SHA512
f51ee35eb050d5866dd085b52681376a1e8034789187ae3dcc605069f8ce29df3aeb1fd46d7fb983ab15c031aff10ffbbb365222eb19befa6c22593422671087

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3459992f6c2fc929f46b12422db20ec8

SHA1
31a25bd5cf5229f754d459ca42d1174795966d41

SHA256
5b7652681bbc3c7323c603f490ccb2b1a779a1111f7a6cfe708f08d0afbe509d

SHA512
c624f0db55034814234310d21d6dad166f6fe4305deab6826fa7460fdfd91d321b72212d0669d14f21de939f9ab462436ad0603567ae15c491de89ac6e1f927a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a077f7b225d17709e4873a7097edcd9f

SHA1
faaa759fbcc65b792008941b47ea07c33d894c06

SHA256
89ad12a6d90fb4401be5eb8bd450793e53436c2d76e86fca5b1d1c8a59dcb329

SHA512
a5fc031eaf59ee71082de2436d66cac884d6057a6c17ed4a97cc57b45b0dbbc28421fadbdc5d6c375d34dd4e358f1271b72e9c81f02506dd298997b27e111b42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
97fb53fce123b1998af8e47544445f4d

SHA1
8a7e671bc4ad069cf05f4d4ef2da44bb9f042d2f

SHA256
9a9f11840ccddaa0a20dc7e1a7f09c1a69ff079881ab1039b4012e308a8b7db2

SHA512
c87994e54eee42faab9fc70de109932c7610be14fa5a8132f78204e915a454f1e7a36738669b670f0d082d3ea7ad55d028144c89843d9ba6be097240fd14edbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
03f01ee92e6834186e72e2e8b33083e4

SHA1
67d9a4603a1327d55205707fae7e8b235e2c1c23

SHA256
b67dcbbe95232c32b7f770172076ee8e0d5faa3a8397bfbc7028b8bb8812d17d

SHA512
56b6af14a4f76bb4c37072a3f7132d9be147dc3d10c163b07886fcc712e1e2ad04b18fd5055a4b238545fd9020a35aca17d6202eba8bc737f0321e429ec2d318

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
53c7b264c85b3eeb68a8ac10f80e2335

SHA1
4abf60734596d3b4487f4cbb2d29df1a0ec9200f

SHA256
2a952672677f81151950bf9c004ace5f52a152c01e93a076c1361f899c419bdb

SHA512
144a008fee06f22293d1679567c82ed55cb4a277910c8d2f0ad932cf5e4c1326d13e3fe0d26e3121840691eba7b7e4a53727025b90b30f3fa684924f680956fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
54b7728df692c43e4977d8f8145e802b

SHA1
6601016d55dca6b2df5436797a00b33bd77099e2

SHA256
669766b2f87ddff7bc069b49e847a4fb88a26b9f19fad3b2373a857b27fa62e6

SHA512
5ac40fd1c9f947580d97943b3cd15feb1df12ac46ec68cbb1278caf70398770973c4844d2af35078d4f823e7fe09834e46adcb51759361613e37ffcc205636f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
9ef25aca0fed9dc9901565303baeeb00

SHA1
b1723fb0bf9dfa56304b94c0cdbf46b3734addb6

SHA256
790e15cecf2136d08cd0d6b0585b54d283a0e372584c9b346b5bdf8d7ffbc10f

SHA512
25ad9a3a58ff97a257a65152e4cfe50b044a9dcc9e9a197f6f59de819d4ff23fc9e731f7ddae84dafb566e79184da25d722a34cdc84abaa58cabbc727c2896e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e27ed6ff29a297ddbb2c0a420fddd745

SHA1
cbf36d12ac4e487a2e346937ab2d1cf525a2f49b

SHA256
3408568e92108bb28de2abc9f068dd00dfc9522c5db9e0d8c754d7060e78f5fd

SHA512
313de74865698c772290e5ce4d8b1e4c5f0f370eb35b49d1faede9a69a9657ec01f6b26d8a59043171590867872ad2623d63c7110b0bd8f987eaaf767e41eb7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9675efdcb679c9d8efef09e9d870dcf3

SHA1
83c8009d08cad75beeea575f7c42d0405ef6e0a3

SHA256
6d5347170bc46914e2124cdadc2cbb5d57cbee015f2a7374dad8fe73f5bf7227

SHA512
5aa01c9f0dd03444d34cd07c7836e497efce1d3ad454c225abc639d5a10ee9e90db654c0836642fcc1b491094db07375808289fd1608e616b3534b3227d20def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4cc742e4-20ef-47f5-b459-c2cd820fa043.tmp

Filesize
2KB

MD5
28ccf63ded2d4f1fdab82dc373418c05

SHA1
4860f92865731ed4763c76d4f3830a7cd46affd7

SHA256
26de9dee72fff725c4acece2954fc5f0c2d2d7bf05bef369e30e32bbfd234ff6

SHA512
9d5f46b3e43ec344f9671518145c8abb228325778d417c1a774919638ae26bd704f4ea2da97362e9579c4310d23af828dd2a6b6da174dcc0f3cf919051f81b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000c4

Filesize
720KB

MD5
4b6b49ff2d726219e7a202d177ba990b

SHA1
e92d330983326cef35ac927135f3b21362972725

SHA256
a2569c08318a9243271f3df8bbc6f92d66f2e91e2890dc8d474e3dab28312327

SHA512
a64afe0f236fbd6cf150df09db04be72cac5824ff12dd26a0cf67206ccdb665ed8871eeb7830c9339d33f7926c2bc707dbf2b4e7f136d846465cb453ac59c794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7ce535d108d27f5bbdcbe46b64ca499d

SHA1
c2437c7a8bcca57bb0de037449dac8c4f6226134

SHA256
22cee3d38b1a35fa7f671005633bdbd5e9dbda3b62dba10307204fa124a10934

SHA512
e283cf92fbf0638e6358e022272ef4b508aeb9c9a751e2e5da99dabb9c0caa78ed8a35327b0dd70c86a6318665da9e2c721f707c5dfd7696b932815ac075563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
c9272c3890eada9910629a65dd4b49e0

SHA1
b916dafc863b0705091bb632af572f05449f67c2

SHA256
d4354e179dec7177839b7f6fe5209341f015386ab0b368badf4085f5957fda58

SHA512
256bd78f473be29d9a69f1bdd66081b2d289b6fab2df52f2a984ef682a8460211ea272df8bc15e80a0344a184098b16cae1fbf0e693045093cbc60d7deead55f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a81037af09f5a586540dacceaa104d8c

SHA1
ce34aa082a4be810c847c9afde7b28509e7c6c51

SHA256
5a62fd5fd73603a662a6592976171bdff1777e235858905b3a0e38cdb66ee0e5

SHA512
fb56bdcee6119fdef53a9c47ae65559a285680ab067c31e07d0da2b323d3224dc7d232826ab4ffe1880eeebc28c0d0410bd9a444c44b2e361cb3069c491dfaa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
1518aa3d1afbab4cadde7521efcb77f3

SHA1
446cc0a9cf589fc8aeadef05f089c74a68c4527e

SHA256
6a910eb754834f4ec0a2862a0331826c880a17e4cd2eef955f3b51e007f2a91b

SHA512
1e4228d624c9cebba0e88307c29aee999b47f07bc354cd785f206b5fcf0941907fa28d36251aaed7c97bfbf550a1480272d5698411ebfab0286251dd4ba510b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4a71b9a673d19ef971b7b8ccc79fd813

SHA1
87eb2538a09112eadfaa584b49203e9621ab9483

SHA256
7d1bb6b4a7df1ec1e1119aeaeed0a7f6ed2f68f102743d07c9ee3bb6193c4860

SHA512
6f79d6443dd639fe416532a8579ee7b0170932c7fe4e19e8add0beee53f05bad69b77518055771b2939b377b0aa7bedbcf451d90fbd5990bf325cb09a5043e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
736B

MD5
d66fcd449b0618c3d24f10429e217f9d

SHA1
a9ca81ceacc82083f7d32f6947a71eb87efc474b

SHA256
597ff435ac10e2673c7c47fb2644deb0ef19af12cc973c55cac659a2d67e6eb7

SHA512
7508be50cd9e09ae296901530ec91ebb97c913f950886f4ce312ccf9ccd75a63c1160cc811c9ef96a38ed6ecad181700ae5c06882e540deccd673ef4f6ebba27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5f7409588dc5c2cbb999a164eb99ead1

SHA1
faead1f21f4e99f3a98c54f448452b26e6545a21

SHA256
487989fe74dce24c3a024073a42272c3b62edd051fe8b3ec71461992bafa778b

SHA512
dc465a26ff028e7a845df7f6fc071494b28a2eb33f32f559e8f9231bcd335df800726f8f686ac1a3e6f58e5263bd415fdede6a6eabaf335db5dee7ee1999c353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
415946b24985570f95c65cc8577bd92a

SHA1
cdee283f3232b18b17c5d7d9c32a01931c4c69a6

SHA256
5adfd3dfe479bdf0d5bad2aacecd87fe5bcd0d866bb8710f47d89b8ecbbe6cf7

SHA512
683951f904f08ce6eeb7d890ac329affdd7c51937517401f70967c9f0df063f04e9889f1365aaeecab6df395b9d86548eb572e857cee5f5d42d949c2412d9c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
342869e257dd59fefa38a2fbe4ff0018

SHA1
837649adc83ea9519d5a125f427122d5ddf80c2b

SHA256
27d7f48e13e02c46e1ea955a39356406d6b9fb270cb83d29ff0e28c0a4312ca9

SHA512
60c8d71638646680f11cbba8473e3bb486cc858b28c03b1a1fa9f1b4de0b2d5bbfa09ef02d8c1d1193e8b0b46a7d36e7f9d34cede451e0d3fd2df10897c40c5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f6dc603061e2e0ef3035e3fb6cddcefe

SHA1
1f72778c0612e4d77069eaec6c142677627e70da

SHA256
ce2d8e524651cd0f087fd80ac1d8b1fc0871045fb240377a89637166dab01637

SHA512
cff8b1593311a44d7caf8976b7d77c27f877bda44289dbe6dda8622816ae11c214f327c74a8a9eac1fd4d2f7b3c22c1ab130949389c2f2df62d443d2e0f8caa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aec4670cd1f0a7af7da0662346ae76d5

SHA1
a85de0e3606449f80817f00c701180a8de53bda6

SHA256
52a2f734afde871f933b07c2df26e34b9cd6347de285410cc680dc28106bd78f

SHA512
7a6682f4c4a0025485246a443b06b1ed5247d84804fa1d2c0774079310ec21aea2d5c6afa229386e56fd7cdbb8bc7e9e3fb6576d534d2aca6518f2f72c7b6b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cb6206a0be75b66183c2415ab99918d6

SHA1
59c2209d4c96e13dffea60c4b561526e50b9ff7f

SHA256
5e9104f6923d9c2c4f55569d6c1d00a8cf40c4b822b0c89fdea7f631b98913e9

SHA512
0dae3a504085f9438bc63b9230589ebdcbe1f12fb9fb769a214f2f51fa1a05d85ac460208a9e3911b823576a56eac01704e488a55cb69bcf9a5151a7bf9bda75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b08a61d2ce0de656900cd29717dd004c

SHA1
69ed192d4f2f1c59f7d31be9d5d473dfb6ea5373

SHA256
307492ea2824d87df8d077a06bafee5507553f1e41302911c9ca2bdc93fc53ab

SHA512
93063406222eb4e4083ba847ee8259e11703b08a48901565ceba0d0ae06806ecbf4e55a411cf48993136c6f1c5f7ceee17416f7b0ea90e3d2c0d153653da0653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
09c14cd96e06337f3d5e126f41d2f516

SHA1
2f772b61b1d1c3c56946a885640926ce959ceb2d

SHA256
5720c76f9504aa7bc9781a19531c0048d434fd6ed4704f8933341e4aa3512dac

SHA512
4b9f42c72c1ab4351e0b13a3d2fcc3dcfbae4692b6cd57be0f1d6ef55c615c9828c74b8da78f1554b1d5c3b66402fb31fca0781abb47afb329fa5ea648f5beb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af69f7843c180914a390fbee97c196c4

SHA1
f20bcc838d36dcd79c54dcfeb0d3d62959574b0c

SHA256
83f5892f71d3c7069d0825a3348d1dd786678ef7d1054cdf3f901d1123aaada3

SHA512
e478b0feeb1946441da0e03c3b39784052172f2fa71d5a79a8b51bb817fe1b83f3eadd0edc00aa1d2b02adcf6ebf17eba2e271e5f8fdab9e6f5986d3251502f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7bc21e35607521c0acbaabffb35e2987

SHA1
24d7ebd0a7d0a5c666c686d4c52be7616637224f

SHA256
86d0c54583c15e149ba3215dc1b1c7d43c896881b5df0c0bd221e923bf8ee3c2

SHA512
7b70614ce32bd7f95a6263b4afb350f5664bdf26626a2b9ef41ccfb858a9db92f2e07a9fa9ca4198ba4a86236c63b4e090ba99019e883ae15d3f94e69d9b3d87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
593a62068cb5a8463074b866d85b9c20

SHA1
bdb52598d78b63f7d47130ac8bb1087bbbe7558c

SHA256
e1c05aa7968fcb1670878c9ba7897ee1f41790a4f41e656a84f5ac9410bc6cdc

SHA512
4157f0b2ff23cbce5b9f646810d9772675aa1fa1881a4d225f05ec2209f443028d9b34b972284bcc79e9f4aaa54b15fccc360b746be0576daded75f4a2e12434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
24bddce221e050d23922f6d1faffd7a5

SHA1
ff07bd8d81a7cc46e3a3db165c8ac36139504ae8

SHA256
c2835e3f6a347653b124ae5eea522d25d190b7257fcc8d315f73b40426d914c0

SHA512
5e0793f78b735c0f0983762b197afbc0872126cc9a18e2c458d6a3cbf9fa69c0ecd9a7243fa4715eb7ba89b3d1b908d71a28c4a159321c43e3e11a903ba2e190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
030dd2afbd69679d0e5eac0f828dc257

SHA1
2cc16c667323b2ef89724a2641d27d3e28e49d99

SHA256
1a39d773da74fa82c4bba4d4949655a2581090971745d4ab384d4b8d953041a7

SHA512
328bbcbc23891402b0c0ee452cc953afad16e5f4d16ec9981c97f58ff9e341c1cdb0e5cbb21146497fcbb32801d47a34aa2d4546ee089c3e83fd23fa4ffbf354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9eb864840bbe3acf9a31db18705f9bc5

SHA1
04824f38e0a4f5a0cc136097fb018cffa7e25d7c

SHA256
1b66da9089bfcfdbf23186f6512b308d80d3cbca6a4772b1c73ec657b8485a8e

SHA512
223358b7e0ab75ecbe2f25dd084f582debc4cd7c6cd07f5864fdc07b8911bd2234d0ec3d9f94ddbe00cfe7b4d14489e412a03a3c7b4809c1ce06503d443c4f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
54ba57689b2b8d6d8005762745ef990f

SHA1
32bd9a7dd9262cfa090790d149d84b82a03679c8

SHA256
314c4ee7e32b327dd3dc12000ced52e992dc918e373d655f44be4c8552eaeec0

SHA512
977444df72a0bdd7be3c30b648d6e29da653dfca046f3a0d48c2f8b8dcabcd710411f48e40bbccec593366725b6f64c2ad63b17da6ff6b14283fab69fa4d6534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
74bdef23b5936c36c25e667998d07cc9

SHA1
0477569d9198aaa48a6d8f9a72843cb94074de4f

SHA256
c8317b22015ca935374ae0b559e6ac42ebcd0c4516a620f5f47155e5ea36775c

SHA512
1fd9528bd233ab95d0dae2556d6a6b68fe8618cd8fed56b07aa1815c38cd96c6847f38e04b93a0517f7807c8c3aadbef4441536d1f1f136b7ca71211fbb5bb6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
04b01f5489b911dedfc3b918951a4065

SHA1
26f9c68fe03139fee2acfd2f684ad21d078d2b90

SHA256
d8e8235053a73606cc6205256832b74526f5c664e4bef7fb039acc0cd714b73c

SHA512
ec2e5529fbd08c6e3beaadaeb9cb8b77ee2bb0f70102feb5dd60f0c0e7db456d0bbe3e50b354df870bf304847465511a407cff97bdcc14c19e413be0a00d353d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3dd8aa2954a9a73714f9f5d752cbe292

SHA1
df4179ccd9859cfe5a187a888c9ed3f418566bc3

SHA256
563374d30df12306a1782e68c6b5c9419a3d685c920ad665e41bd3fbcbb24591

SHA512
d3d62fcc64d2195f2d788c19c15de1bbad1830ae806e909a63efce2a0c53cd8bb119f7cfd6ac08be247a7a4aec61c9b13d3132d210bcaca620747d25bedcd63e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
02bc0f95c80ce580c7af9f9cc96c2f82

SHA1
8c43545051c83736582dbff0e656143a4c6d7c40

SHA256
4c8d95120eeb7109cc0879a4e5a2e9efb93b2a716cee5aa551a03b0069b13dbe

SHA512
18f2f4fd3b7b9a16c072a81fa7b9cbb126c51ca8d7852baf9e8bcc4a030118bd09c7f017f5e7f85c81999e56fdcf6288173c0eb90f2ec3d7dc7e7cd0f5936e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\df883d9d-7d54-48fa-9975-805d7f5bd1b7.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7efa05b4ea0a18f4413d08a3cef63014

SHA1
9255c98e9434d17206bbfd464eb8463c33a173e1

SHA256
b279365069d7e1d99a68d813878f4f6ab1cab2d919d092c7f7a0694dc94eb13f

SHA512
39f94395548352ea719623b77433411dbf9fdda40da4b7acfeb80e5aebe2d75f28004532289ce5584acda4892aaf9bcf356c7f46fa7361c9ab04fc919609126c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
654ae1d4867a88fe727ea96f3f845b4e

SHA1
e5ee531458a2035c531eb3311d3e9e6e21177873

SHA256
d1ef3d134e289e67da4317b40e7ff197beeb53c5d62a0f6522b60aec051eede7

SHA512
935ffab1c5c3fd8e81c67939b4a30ddc9660c553b211f7eecfb3e106055106d7a57498877eae4989026b432b9cf4572e44738fd5cf58782f0e4b0e323ec4f467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
46b216bc349e027e7bb19304115164c4

SHA1
bce6a84ee42db7706f19bbb7dd8374863d06b462

SHA256
d3e9fd31e4902429735fe8544255db558711c8427a8edf5392ef925a1d0fca8b

SHA512
571ee109a6931476d1586746e69fe5ed6a06fc97db47a3760fd4ca4cce98f4d208bf5340a094519b19535451882eaa9834a38db29c66cebcc0a78560244c14a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
43377e272ddbbfdeebbb950e89e6dfe2

SHA1
5ae1b1cc293c05f4bc7824f0b3351f4a29599231

SHA256
75eb97711faf76b5b501c91dca1577db29fcb12a8ae975a0e7019e8a552432e8

SHA512
2a858ec0532a166dfdfd9d9cd1e0b2865f2ffcd325a621dd9809ea6d5d9ad1db230b7d211b1fb23588d6d7b15e0b248c71d37905bee06e7b73c7f5be5cb6954b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
54c2c68602e75cf26aeb39b5fdfe7cd2

SHA1
5d1a10bfb397f05489bf36c3654b43e2d15b2b38

SHA256
cfc0324cd20720c2acec98a3cce42d4cef92b78074efdbae55e81af3cdfab327

SHA512
bc83a54ddc4151afc793027ca7b7995d2c39ab8fd813bcc2b20b9b86e64262acdabf0967db34e74657bc839446877538be1000412af19133183defa423bcfbfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3ad2f7d5c43cb7457a9e5649c153edd9

SHA1
12df57b50aa73d0c069ce60e81adbd9ecfd153f7

SHA256
91783f762a4a26a5e0dcd0bea14f506076b59fb2019c7514951bb8c450d4930a

SHA512
de6ac8cc051fd9a7348830abfb6564df021d404734f5ae030864b5eb8bb81b87b1a6a026aff08751c5a92879cb7d85ecdc3596524d884ab8c7af6229ac659e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e27c48a1-7e97-4f1d-b1ec-1686d5e6c574.tmp

Filesize
11KB

MD5
51b4c9359b787a7d610065ebd0bcc5c1

SHA1
e0432b2e8402b92ff91a07a15795096faef432ee

SHA256
a1073a46450edc0f423c949d6bd8c74e90eb8de9ddae153242fdad6ba9e15a28

SHA512
cd5562bb9a306b43d89a8b0f3176155c60699d2f49e17a5ad1da1977ac07d23720dfdf39484e29c8219ae83cff953781ef1467722ab3e4b68fb04d23b524b2c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e53d7129-fc4f-41ec-9c26-a738326837f1.tmp

Filesize
11KB

MD5
ec348c9710496dc4de653a1091523ab1

SHA1
2f9c30a313c596131cbe375c41f96a570cf91c1f

SHA256
a339a0fd41184711016a469412b3750a82a84dd60248ae516bd074097bc951c2

SHA512
27f0dd3dc873e12183fca49b7c26a61a4a00a87571669358ad86e06dbb732b5b1d8d071c2943a5d43a03b1243f6252cdacac88581d8aa3095d4110f077480f6f

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000003

Filesize
24KB

MD5
b201e8da90ef456598b8b3bb0e31bf53

SHA1
8bb524c8e9b17920c83d9a06c0b305e41cfca560

SHA256
2c8b630d1edafb8cc8c8cd73fff10c8ab6d06232929a4d458ec34628920f1665

SHA512
50126ac5b7800f5a848ef49ebc8e71d78cb5ee9c1602486b30e697ce57af32c868e46795ac2c157cdfd7fe65c03133c7a752813d520a9106adc3e50620b473f3

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000004

Filesize
40KB

MD5
46f57737d50e34053f1f7633d74d600a

SHA1
ebb8c24e34d2f6f7e25de8ff516cb46ee8dafa36

SHA256
b49341286ebd650e4486d60e7bed27076f7d583f825f7440faa15d16ba3714b2

SHA512
c72f440d2a1a3fd6be82cc8c2b10a15f045f0c3485d734ede9fcbe436ba1a9f291830830005d386458092a1a6df1431b58cc6ac95fe2ea745e74ba70b050f2cc

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000005

Filesize
32KB

MD5
31b05e57c066452d73ab005bb42865f7

SHA1
2a8efd5d7753dd756c539ad66831b01f603fb13c

SHA256
84d0be622ddeef6d0793df5d274965d6d13a756979b4b484185dc7a051eb4071

SHA512
f793863cec23493b58311d37720fe7d48e21c92da5cbc9c5d4562e47a046e33be4584d58a1c031513298c55a9c33f5e591fd5ce831c9c33af9c2594bb071c277

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000006

Filesize
36KB

MD5
9d69a62bc96e67bf779bae3744a8f693

SHA1
bd8a95a103317e66551c2129fe392998dc45c7ad

SHA256
39ee252af15a86d1d4d54a5c3fb9ed2678ef2ecae9ad9d711290acce7a7a611e

SHA512
e1fe5393201c37a9c34196fb986e818d5a94545009c6536b3c6b1a1bf71d528d458039ef1f30eb1c064e233b7238b72f7cd69d204827ba8cdf3f783aa012ca10

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000007

Filesize
19KB

MD5
48ffef4fc267c7350a37339001bd1a02

SHA1
9379041d4d542c116b420d014c7ebb68137a008a

SHA256
254467e453cf3cae3c70085b41462cd71b233c247b5e212f444347537b4c4873

SHA512
34b459dde39b3056e2f0a4c593b342d32829c9eebb2b01f146aefa0d54f0b52ecf4954873cf76b424abb25f84370d0b5ac06fdac734b397a7444b4b64b4d52f6

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000008

Filesize
19KB

MD5
280188959917fc5a7ce9cbca5ba6fc05

SHA1
f651c19d05fb115f031342f12b36337d866c0034

SHA256
430750b0cb0ab5213be051d447bd370fa4afb2c0ca0275cd4f1beb8e0bec8f15

SHA512
fd0c1159142cfe42617bdfff51613aa6f72119e35d21bd1ef01a76697cbb8ecfff6059e52e8218be0e2fa37389a7e5582f5d6e9e0d80c2b00602337be5125eab

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000009

Filesize
150KB

MD5
52344bfd16b4f6d1dc61922468458ce0

SHA1
142e9ec2e44f56e7e97f243624655decd4ee75ca

SHA256
d4636d2d08503bfd82c4e2a614efaac77ed9aaa38793703e16cf8f73b445aefa

SHA512
4bdf08a37c220abdb1ff30a30b10573082960ea9ad4118d3a9abe3e0334aefbcbe07eb60cf17d9f8f4539c5f719a67c803a452a4e79ab64e71e7c7b83c0de172

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_00000a

Filesize
268KB

MD5
0f6192618cc95b90b08c888009300563

SHA1
20bc0faf53892a8bb835e3dd7edb4794dc8f7446

SHA256
6bd273b2441d8135d9b18cad1c0a71b834105e18607fc5d1db1fe66e19142855

SHA512
50d6a2f2b9753319120266379cd8d00e5af547a7fd0117d5f3c445c69260f064ebe61074727c98391729cd0b0f44e3f30cf5e28921f27c3a5592ed2cf1d1c3bf

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_00002c

Filesize
119KB

MD5
57613e143ff3dae10f282e84a066de28

SHA1
88756cc8c6db645b5f20aa17b14feefb4411c25f

SHA256
19b8db163bcc51732457efa40911b4a422f297ff3cd566467d87eab93cef0c14

SHA512
94f045e71b9276944609ca69fc4b8704e4447f9b0fc2b80789cc012235895c50ef9ecb781a3ed901a0c989bed26caa37d4d4a9baffcce2cb19606dbb16a17176

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_00002d

Filesize
121KB

MD5
2d64caa5ecbf5e42cbb766ca4d85e90e

SHA1
147420abceb4a7fd7e486dddcfe68cda7ebb3a18

SHA256
045b433f94502cfa873a39e72d616c73ec1b4c567b7ee0f847f442651683791f

SHA512
c96556ec57dac504919e806c7df536c4f86892b8525739289b2f2dbbf475de883a4824069dbdd4bb1770dd484f321563a00892e6c79d48818a4b95406bf1af96

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000096

Filesize
116KB

MD5
b6fe53543dff0513f140632601d5a9e1

SHA1
56066c1fe6b072f4a854babe5e0a832b70549371

SHA256
4b2a971b87e6ebd12757b25bcea2c748bd3c2e62ee30d265a9114fee6f1eea08

SHA512
644e889ff9a4bcd17230de0f9e79797d2c53a18d61f20c5da8790a406f03af78e49c3338ab4e9c978e43dcff39ab7559dad16f9a53de914959d5c3e2481b0436

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000097

Filesize
128KB

MD5
e065945c7bec4fe076d055fec02df745

SHA1
8ab93a3ac3315784cd118d2b010d258d7cd11306

SHA256
91d93fff4c8614c36ab78728a68b3f2f376011c060031c0a9329c2b4f7a68c0a

SHA512
f65943adeff31c0765a28ddb27466b7484db6e7c408a5861b1fc501b11daa668d7a8483dc2fcf224cd24e148c35d1498a1e7f5d7d1f09a28d959307a15562e53

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000098

Filesize
127KB

MD5
7ec5dedfadd7c020631990fd49cdd3a4

SHA1
696d29bb80351af0ce141717b89155dbe5868716

SHA256
21d7784b9531db9dd8e49b79151a695e6df7d32f463af7d518e73639a2935c69

SHA512
e8dd3261bc14fc4f1eba14d374e770ca490c3a43bf231a5919bc535bfb05e86db854285dfed81792a6f84d271c1ff4ee0afff1b4c7aae14813bb67064d0ed424

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000099

Filesize
122KB

MD5
3e4ba468fce8a706dd68049cbf948298

SHA1
62bc9c6f7e587863ac2f969890bcf66e2533ba99

SHA256
ee6ebbd5aba6534c84b5e21d4b179a59c4b1b67adaf698167e5e224f39fb7c1e

SHA512
e3b75ca4a4a5cd7e37261e28bdac127710f47d469eb77850fb12af9f91df6c941792aa2b65eef9fc181d4837170ff1193c9cb354ad7e9a119de386c0fad977ba

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
37048471b36693c58f32cf814f7ef627

SHA1
06629bf4939fed644346dbe27ac0a5134cd16ea9

SHA256
9c1665ee53cd2c274de129ed07fca4bc6e50373d5b96a07d7fa93b02cd45b39d

SHA512
d35084a7fabacf794bfb1503436b77e0bff0c227285208a1585d8e762b412068994a8ee4d265a66a23eabac3ce5bb3bb956766c96364df28ee3004cad9edba0a

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
b192152b8d21ef9c8325dc917f0d9c7e

SHA1
742252530756bdf13cc7186615cc45b5a30585e5

SHA256
43cf1ebc7cba524f552cf05ef24ded4273888f0dfedbf2cb90f36caf96dd84a0

SHA512
6fc4bb4d5b80377c0a08b31ef01f8e52c2c653fd6669649e5aec017778bd432d9d258e7538067742f354f2877a540402fa89cc121ee73f3a88aca38959ec8eb6

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4a58851ffa9c98a7791c9384e43a37f9

SHA1
2feaac1ccbc44043e6dbd629439342721ec8d8e8

SHA256
29659f6195317928655c7703ab95df8add4e1f4f69a164b77cfe59130fe859c9

SHA512
af1920b1d9a221174b87b424ba702bd8e0922a313f45438acfd2b7856ae4c882f0c94036a6058e3f34c0c028691577a820ed7dc5637336003ac20c6aaf9f9e49

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
710B

MD5
fbfc0fab0bd9c778a4599c571c97a552

SHA1
ae4f40728021ad4facb95e197bcb7e04199b8898

SHA256
51a7a3c82f76bb99401d87158a7cc2f6b1b727f2acc13475a554aab6fd11b854

SHA512
cb7a7c6543dad26de1d6fdfe5e24b9684eaf824b4764405b8d5c866d19747c7ed060ed0f4c71645e4661530159460598e3c3ec9b15ec88e0dfd859ded5818981

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
822B

MD5
bb883d2d44c92f6eba74d247207dc8d7

SHA1
190f9af3374f119dc18caee144d3da587033abb1

SHA256
0aca856c304a8f58c7c221b8851feffc1f1e8b57e8262d2aa3f407efd8a2262b

SHA512
542d21fe3761dc6082d1927c2f082079562dabe3c2950379391441810ac62b7efc2a57786704be60d97e6b92c17332e75ed7a61186981d2115e781dcd19b52a3

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json~RFe5bd0ba.TMP

Filesize
529B

MD5
c428d88798bf07a5fb739da1a0784dbe

SHA1
164b5d1f613337fbc02ed04ef0d399679c31fc9a

SHA256
45f438d0d1fde640933d268df6c1089e0acb8d75a74c98c053d861dc23558cb8

SHA512
9668f3898bd7cab8bf39aefd3257f26818d145b37da578d78b9298b84d82faabb1a1d609300ffe9ce3ae0c1ae5c331977040af1d1810fef958de81c503136d1a

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
947B

MD5
28b0ecb9019b7e75a751c1934a640de5

SHA1
7039acd383518720b12b6ccc4e513ce019914e99

SHA256
e5541f74afa3ff9f155d0df0caf5dfcbbf2e86766a67241fa96a1418a7f17337

SHA512
a45f48927d5da1bb8f27abc4e08120ea2d8f9749c521d349fefb6f2c2a6b17b9383405013ee05f5058ccad0395895693359c248505a4318604298c7e6c041c23

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
558B

MD5
93f55f6fbb3bd0f38aef0ab0c76ce819

SHA1
6232c82d6b5315149a75cdffca1756236fcfb96d

SHA256
c92cbe8fa9c3ff940f43ecf8a84a5e16913ea142250a2b82a87e68c119fcedaf

SHA512
88c552dd8b2372516925a1f392d1a56d6cb0984444791ebac6620d6f762029371d455b808d9795d26e4fb96a8bdf069a2288656c040c38068b08bbdfaf91a5f9

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
947B

MD5
5bb444972f8ad1a595eb00bf5cb839d5

SHA1
104f485ac6f282bdec1535224ac99868167417c7

SHA256
360c9dfc02dcb8e75212751c39ffe324d6dab2bab6d52fa6593ec7410192bfab

SHA512
52e38fc98c7b2a87e5bfa1c33db3e49297eb19d455c4f73057368083ef6a14ac099bd4ce7d62b4ac3a8268a405de8072880c6c2f2626e5dfa4ab5bb3365ec921

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe5be442.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
524B

MD5
656215b268baa9d70f246317be06f99c

SHA1
f9e6d7b4bbd3f22e2a917ff4e1341eb4931f1d23

SHA256
d6b6cf3c29fc8d9d77e8dfedb35738c22e615f91df62656206b359d59d3699fb

SHA512
1eec9b727308479d98850c7f9d37003c906c7b2437897114080a5eac80d3b2c7f5a9396fde4746e5c9c06cd3c176dd3f980df19489c0238a606bce994571cb4e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
524B

MD5
cf922f620a100d92b129d726c9fb6c18

SHA1
6c1569888e625526fcd950f152cd27e8dc0be007

SHA256
11f664105b438e7432c7d1d9d676388ac4bd3d02086720b8e7b0049036f2fcc4

SHA512
9d49859f6b4fb300906964e9e03d7634d89dc7764c5710893cf5d0f2a91566356adbeb3a2a8777139196c054de22bef27c67cbef21ffcffba5b8ba66d0b65238

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
188B

MD5
d829e0b65c75be16d55621a5acccd466

SHA1
266e7dc41ce8b5827a1ef8705c9d25adc2e05ad5

SHA256
2714ce6ce11edea83595cbf21efa24279476127bd00c08965729af82f0ba59d1

SHA512
0049b47e33d53f0ed235f7c2c674c9050f30c0603aaed6f3ffc5c493de34fde0cdc0407faeab9b2b72046c1b607dfda27e66e46100ec9b25b9c14a7359ffd6eb

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
524B

MD5
835d000066b4a11e2d993469272393e8

SHA1
a4c044ace3a4f37f3eeb9d846442d17a5d1197a1

SHA256
0b1ea4e3c73ee139673c4a5492e02448c5402ba598e07853baabf5f8173edd91

SHA512
31614c6ad12eac1b95b93efaf91c2af7f58902174aa5defbad25b9400db515a68ba183e5fc6e5d52f86aaedf45ecd21426f54d8eacd3ac72b8490283425ee8ca

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
524B

MD5
1fa8ca1329c538696d2cee4cbc1086f4

SHA1
1715e79cd4bad7d952bd14a30fc8c20cfe536efc

SHA256
60fc8f7d242c78f4af74f3a0d493e173ef9451d185c37ffeeea0341417b5f548

SHA512
9236cea545e3a0246f83e6f619caee61ae5cdfc8eb8f716c144ea63746f9dccc697175756ef39fcef8afe5a61913bb637e8dc8aa65e3ca8712349520ce1a9ddc

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
524B

MD5
b57d0ed21f5c044c2528c010cc2d28e5

SHA1
2e1a3e3f566e421201757463b8d674ae568b9e06

SHA256
bec5ae89121349d974a6d27c6b553c0e0b23a1ccbcf9d1e57a425ce95d0ab93a

SHA512
35cd355ee940b596e47281a5d1ccf4b36d8111829d73ba0349272ba53064bf5366c31a76ca8fbb140d275cb3373d1a24c1747a2656e3975c5000ff240c2a3791

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity~RFe5bde95.TMP

Filesize
188B

MD5
1fb0637a8f9aba14bc2dbd58a4e654df

SHA1
e13c67f124277504d2d3761f54b38a89a8e42103

SHA256
9fe0c64b289dfc1381b6975d6fc6dbf3d9fb639ef7c55e57e3f5353329cb387b

SHA512
3f7acc3bb27392b2734490cb9878a54048b23a392a4e13dfab62038b8634e59305c497df7567648076201753595f6154f43d70da5e8d49c622e166b4b2dacbb5

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\UserPrefs.json

Filesize
2KB

MD5
602c49f9246967bdcff45b4f43cf2fb0

SHA1
4c5796e0c724bbd7a9244cc8a0fc9e8f40181f2d

SHA256
a3ad9649c1038078038be1abd591cdba73b4b4f5cf30e11bb6cb7a432b746114

SHA512
2f273c0dd0127071f4c768cfe7277c6efff84c1ef4f4271c1326db3658c84261794b106af3198717f349fbaaaf276163700bbb50ae20fe52ed0a88a192d46f77

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\UserPrefs.json~RFe5bde76.TMP

Filesize
2KB

MD5
68b20851ccb9834d21fb32615e42bd43

SHA1
88fab935f0b9484994097c08f785e9ecb7d68127

SHA256
a954b528dd65ad6c4c2091fa32f17abdb7a49454ce88e10bb6c377734c70c26f

SHA512
dcb0771120c8fe35213d60e9abf4b242af807324759e3c99e9b2569c00a941d885d53ef6fadfe69e6b740e0b52a6008602605d643801190a2d29175a7d065e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2680.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2680.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2680.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2680.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2680.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2680.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz14BD.tmp\modern-header.bmp

Filesize
25KB

MD5
da3486d12bb4c8aec16bd9e0d363d23f

SHA1
863244a4845c9d5dea8dd36e1083f5639e1224e1

SHA256
d93b76d51bd2214fa6e999c1bf70b4aff5165a6542f9b9b2a92b5672601f4624

SHA512
8e40adb65a4ad46f3bc5920d7fd8294397268e754b1eb00d4f7b0883be6468448033d9a46cf3a00fccddb4a7c81e7f984cf5a25731532c1aeface69573dfe59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3532_1824655484\00078ae1-9b5c-467d-9897-528ac4055adb.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3532_1824655484\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NG22XOX0H58WJ4Z3QFKN.temp

Filesize
10KB

MD5
991a69efc68db52306f703ee2cfe5568

SHA1
47480e6a23d500aff90ee43c621bdb7b87626bf0

SHA256
7645a7569a4fb3fcce890e243026d928b0c516a7a139a8930e6b986264fa81e8

SHA512
430d9837401024dad6a1bcae5b2f944366f3875fa40656bab0119b4c287bc3cb15674603e5201476cfa52aa9cb4a69e246e7804f845e8d52ec77db9c6a88511e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
ffa13c6549ce6be0163f54a83c7e2e18

SHA1
1dafc0628f249a45713c1efea191cdc921dbab39

SHA256
930495de15b85eb54f81a952ca90762bfc110b9c6b4a20dc4d98154b735312bf

SHA512
fa9c1e11367368683951cb62b08173420bb596c4517a907b1348f9e73244deb9f49b1d062b82836cbc783af8f0b5dc199c764e5650602e800b463f96f5b45ecb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
6KB

MD5
57703714e9fd8426ad19455984069313

SHA1
844825acb33c35d6d29d934da59058dbb6d8b987

SHA256
b8f85468ce35f19b9a46945f40058c6682bf75db131c9632f81115909a6d1e64

SHA512
606463085c24a02dc8ea18359ca74d81c3db06f277dc04cebda9a2fbac97a6194c0d166136765e06c9590924d8691ff1331b021ef71beaba6bb6972cf0040452

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
6KB

MD5
00cdcb8eb34ec02763112704810d115c

SHA1
5537c7b59053c246f9705ab1ae80e1c62d51b3fb

SHA256
b3f0602ed30c1a80c9b8450550218925966f63c31cf5ea3f7f3723602de8e3a2

SHA512
a694af3dd5332a95a6b4944c868c790dfb0e85de11477cd8173726e46bbd2c2eab6b457489c6d901a9cc8a9533c567eb70a3aa04ea0d3c0c73259a5fc3f741cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
6KB

MD5
ff9fb6fbcd472c2ec9e54a3da764bea9

SHA1
ee6a4761f54eeb83e14990f36bec70500632e3c5

SHA256
a9a8aa55ddf0586b83aec292836cecd5a3583dd8568415ac463b3e58af1bfc76

SHA512
cadfc2c938f8f3df30a64ee4272dda2d25962a06210047f2972d2774b0ed19166969191e5a51bb51e839bb843ebf5e3ee899a08154bc6aa856c320e1d48acc58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
6KB

MD5
5ce87ce6c5770c8700ba9412a98588a5

SHA1
b7eee91579ed49c943ea60b4df83f03a5df8234e

SHA256
7d9bef09af4f87b8f13ad416103e5eb0cdddc221c56c244f5ac20bbbc6e581ae

SHA512
68cd7503965399e8d67f139d9d7735b96edf2eab87a481cccbc58f76e074ccddfff51c68a7c2edbb5c6517fff6906be8e50ab1b3a310c4442a47bfbfbe1430f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
6KB

MD5
3ba4ba580d4fc1c7ffbd4264b7efd332

SHA1
615ee8e5dfd9633a91e432a69c2ad39460aab738

SHA256
14895b567983559fc0a0248c6ee1af992779409dcc68d62d9bac98a433248e2f

SHA512
686a290bfe6ca4d19527ebc3746dabee68ed27c5e2e027deabfc6d2930a652fd5c3b408db3b51db3389c3a20686a39e1b9c1d62cf12487f437eb38968fbcbfaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
6KB

MD5
7b985ac6873559ea263cddc4f56d9d47

SHA1
7c9c1ff4567cb654dae8c1990e64a84f8b0f9a88

SHA256
ab91da83f15c4e758f621b14c036870d32ef8c783c1ef682cfc8f7a5d4a27c3c

SHA512
dc6e1dfd1a2c332e71b40af4323a18e15dbee9907f37bba672f1a00e579d64f6f9880c4a32062be50d0292a94e0cf55e4887fc87b6c34662b7e12a106ad66c94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
6KB

MD5
28e25772fed33e474edc9ce981436ffa

SHA1
90e0871dfe04d58d24717e018ea199bdd037896a

SHA256
1bf250a710ac516f650636c44efdcf5bbce4a973253b16d5d7f338031d56aae2

SHA512
0f1a2d615b4a0c17c6b23d72ba9a3317e504bb41c658e2a861e84693b180aeb4bed69ae770b592e906c0d549250e02bde4dc4bdd5372bfed9a50a0d4d3836ed5

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 339258.crdownload

Filesize
240KB

MD5
e0456e69673029f41622f3b411956624

SHA1
87ce17a2ca4027cee4003b91e1e40509ec4fdc3b

SHA256
c5dd525b026572e83129e7654eba46654d1867defea1189e1b506e253ce54995

SHA512
83bf5106d2b4a6d1009239aa2ff38023e9c8c4c6237cc5e591430a1a14070f9b4555e9680c168cb61483f6e9cdc41e494c87ba0b85dd547b16302956bfcade84

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 468453.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 773875.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1192_899263176\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1192_899263176\manifest.json

Filesize
1001B

MD5
2ff237adbc218a4934a8b361bcd3428e

SHA1
efad279269d9372dcf9c65b8527792e2e9e6ca7d

SHA256
25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827

SHA512
bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

Download Submit
memory/1048-13651-0x0000012997650000-0x000001299773A000-memory.dmp

Filesize
936KB

Download
memory/1048-13650-0x0000012996F20000-0x0000012997040000-memory.dmp

Filesize
1.1MB

Download
memory/1612-13648-0x0000012D06140000-0x0000012D06260000-memory.dmp

Filesize
1.1MB

Download
memory/1612-13649-0x0000012D068B0000-0x0000012D0699A000-memory.dmp

Filesize
936KB

Download
memory/1612-13535-0x00007FFD74070000-0x00007FFD74071000-memory.dmp

Filesize
4KB

Download
memory/1612-13534-0x00007FFD73DE0000-0x00007FFD73DE1000-memory.dmp

Filesize
4KB

Download
memory/2844-13761-0x000001E9E6CA0000-0x000001E9E6D8A000-memory.dmp

Filesize
936KB

Download
memory/2844-13756-0x000001E9E6940000-0x000001E9E6A60000-memory.dmp

Filesize
1.1MB

Download
memory/4072-13493-0x0000000000090000-0x0000000000542000-memory.dmp

Filesize
4.7MB

Download
memory/4932-13778-0x000000006F260000-0x00000000705A1000-memory.dmp

Filesize
19.3MB

Download
memory/4932-13654-0x000000006F260000-0x00000000705A1000-memory.dmp

Filesize
19.3MB

Download
memory/4932-13668-0x000000006F260000-0x00000000705A1000-memory.dmp

Filesize
19.3MB

Download
memory/4932-13673-0x000000006F260000-0x00000000705A1000-memory.dmp

Filesize
19.3MB

Download
memory/4932-13641-0x000000006F260000-0x00000000705A1000-memory.dmp

Filesize
19.3MB

Download
memory/4932-13678-0x000000006F260000-0x00000000705A1000-memory.dmp

Filesize
19.3MB

Download
memory/4932-13683-0x000000006F260000-0x00000000705A1000-memory.dmp

Filesize
19.3MB

Download
memory/4932-13692-0x000000006F260000-0x00000000705A1000-memory.dmp

Filesize
19.3MB

Download
memory/4932-13733-0x000000006F260000-0x00000000705A1000-memory.dmp

Filesize
19.3MB

Download
memory/4932-14061-0x000000006F260000-0x00000000705A1000-memory.dmp

Filesize
19.3MB

Download