4096c294fd311f8e1940bde9eaadd29fc69c63142ef626584644e7bf1cf53795

Analysis

max time kernel
439s
max time network
445s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12/01/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

271KB
MD5

4b0e5876ac8c7d00d4df7700d9524920
SHA1

595dbd16187d344565bcc264a9c98a2e5f37b185
SHA256

4096c294fd311f8e1940bde9eaadd29fc69c63142ef626584644e7bf1cf53795
SHA512

512b60eb987ae66be3ee512d866c83eac4ed3dffc0f242bde9dc7ec8138051677a778205e8337d72e56881f67b4bd0ea62bd47888edcc113ce55d73adf8b38c9
SSDEEP

3072:HPxGtuHLXaZZEyIfS/lutt475UHyNBIlXzAwtN+25/jD5:HPxGturXaZZBIf1tc5UHgINjD5

Score

8^/10

steam defense_evasion discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
6080	SteamSetup.exe
2252	steamservice.exe
5516	steam.exe
4160	OBS-Studio-31.0.0-Windows-Installer.exe
21536	check_for_64bit_visual_studio_2022_runtimes.exe
22088	VC_redist.x64.exe
22596	VC_redist.x64.exe
25296	VC_redist.x64.exe

Loads dropped DLL 13 IoCs

pid	Process
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
4160	OBS-Studio-31.0.0-Windows-Installer.exe
4160	OBS-Studio-31.0.0-Windows-Installer.exe
4160	OBS-Studio-31.0.0-Windows-Installer.exe
4160	OBS-Studio-31.0.0-Windows-Installer.exe
22596	VC_redist.x64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{5af95fd8-a22e-458f-acee-c61bd787178e} = "\"C:\\ProgramData\\Package Cache\\{5af95fd8-a22e-458f-acee-c61bd787178e}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-nvenc\locale\hu-HU.ini	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_ltrackpad_swipe_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_sl_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_r2.svg_	steam.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-browser\locale\sr-SP.ini	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\decklink\locale\hr-HR.ini	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_r2_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_sl.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\joyconpair_left_sr_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_r4.svg_	steam.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-websocket\locale\ka-GE.ini	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0515.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_l_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_touchpad_left.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_rstick_down_md.png_	steam.exe
File created	C:\Program Files\obs-studio\bin\64bit\libobs-d3d11.pdb	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_l_swipe_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_rt_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\layout\updatecontrollerfirmware.layout_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\vstdlib_s64.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_mouse_r_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_down_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_touchpad_left_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_lt_soft_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0080.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\emailreminder_close_hover.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_color_outlined_button_circle_md.png_	steam.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\coreaudio-encoder\locale\fr-FR.ini	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Dark\up.svg	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-qsv11\locale\fr-FR.ini	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-x264\locale\en-US.ini	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_040_act_0338.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_button_a-1.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_lb_md.png_	steam.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-filters\blend_sub_filter.effect	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files\obs-studio\obs-plugins\64bit\vlc-video.dll	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0190.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\icon_cloud_disabled.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_gyro_yaw_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_ltrackpad_sm.png_	steam.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Dark\interact.svg	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_ltrackpad_up_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\hp_m1_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_l_swipe_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_dpad_down_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamclean_danish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\snapshot_blob.bin_	steam.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Acri\radio_checked_disabled.png	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_060_vehicle_0110.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\btnOvrOnBottomRight.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\glow_friendslist.tga_	steam.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-filters\sharpness.effect	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0100.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\osx_min_hov_new.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_lt_soft.svg_	steam.exe
File created	C:\Program Files\obs-studio\obs-plugins\64bit\rtmp-services.dll	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0301.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_050_menu_0160.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_l_touch_sm.png_	steam.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-outputs\locale\it-IT.ini	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\steamui_postlogon_norwegian.txt_	steam.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\aja-output-ui\locale\kmr-TR.ini	OBS-Studio-31.0.0-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-wasapi\locale\mn-MN.ini	OBS-Studio-31.0.0-Windows-Installer.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5e251a.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI26B0.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}	msiexec.exe
File created	C:\Windows\Installer\e5e252c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5e251a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF500A73346E75B44.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF983113FDF426F7E4.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI279B.tmp	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\OBS-Studio-31.0.0-Windows-Installer.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OBS-Studio-31.0.0-Windows-Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steamlink\URL Protocol	steamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\ = "{5af95fd8-a22e-458f-acee-c61bd787178e}"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Dependents	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steam\URL Protocol	steamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steam	steamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.40.33810"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33810"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.40.33810"	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Version = "14.40.33810.0"	VC_redist.x64.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\OBS-Studio-31.0.0-Windows-Installer.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	msedge.exe
2548	msedge.exe
5948	msedge.exe
5948	msedge.exe
2028	identity_helper.exe
2028	identity_helper.exe
3064	msedge.exe
3064	msedge.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
6080	SteamSetup.exe
4160	OBS-Studio-31.0.0-Windows-Installer.exe
4160	OBS-Studio-31.0.0-Windows-Installer.exe
4160	OBS-Studio-31.0.0-Windows-Installer.exe
4160	OBS-Studio-31.0.0-Windows-Installer.exe
4160	OBS-Studio-31.0.0-Windows-Installer.exe
4160	OBS-Studio-31.0.0-Windows-Installer.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe
11336	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4160	OBS-Studio-31.0.0-Windows-Installer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	firefox.exe
Token: SeDebugPrivilege	2900	firefox.exe
Token: SeDebugPrivilege	2900	firefox.exe
Token: SeDebugPrivilege	2900	firefox.exe
Token: SeDebugPrivilege	2900	firefox.exe
Token: SeDebugPrivilege	2900	firefox.exe
Token: SeDebugPrivilege	6080	SteamSetup.exe
Token: SeDebugPrivilege	6080	SteamSetup.exe
Token: SeDebugPrivilege	6080	SteamSetup.exe
Token: SeDebugPrivilege	6080	SteamSetup.exe
Token: SeDebugPrivilege	6080	SteamSetup.exe
Token: SeSecurityPrivilege	2252	steamservice.exe
Token: SeSecurityPrivilege	2252	steamservice.exe
Token: SeDebugPrivilege	2900	firefox.exe
Token: SeBackupPrivilege	25636	vssvc.exe
Token: SeRestorePrivilege	25636	vssvc.exe
Token: SeAuditPrivilege	25636	vssvc.exe
Token: SeShutdownPrivilege	25296	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	25296	VC_redist.x64.exe
Token: SeSecurityPrivilege	11336	msiexec.exe
Token: SeCreateTokenPrivilege	25296	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	25296	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	25296	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	25296	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	25296	VC_redist.x64.exe
Token: SeTcbPrivilege	25296	VC_redist.x64.exe
Token: SeSecurityPrivilege	25296	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	25296	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	25296	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	25296	VC_redist.x64.exe
Token: SeSystemtimePrivilege	25296	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	25296	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	25296	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	25296	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	25296	VC_redist.x64.exe
Token: SeBackupPrivilege	25296	VC_redist.x64.exe
Token: SeRestorePrivilege	25296	VC_redist.x64.exe
Token: SeShutdownPrivilege	25296	VC_redist.x64.exe
Token: SeDebugPrivilege	25296	VC_redist.x64.exe
Token: SeAuditPrivilege	25296	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	25296	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	25296	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	25296	VC_redist.x64.exe
Token: SeUndockPrivilege	25296	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	25296	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	25296	VC_redist.x64.exe
Token: SeManageVolumePrivilege	25296	VC_redist.x64.exe
Token: SeImpersonatePrivilege	25296	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	25296	VC_redist.x64.exe
Token: SeRestorePrivilege	11336	msiexec.exe
Token: SeTakeOwnershipPrivilege	11336	msiexec.exe
Token: SeRestorePrivilege	11336	msiexec.exe
Token: SeTakeOwnershipPrivilege	11336	msiexec.exe
Token: SeRestorePrivilege	11336	msiexec.exe
Token: SeTakeOwnershipPrivilege	11336	msiexec.exe
Token: SeRestorePrivilege	11336	msiexec.exe
Token: SeTakeOwnershipPrivilege	11336	msiexec.exe
Token: SeRestorePrivilege	11336	msiexec.exe
Token: SeTakeOwnershipPrivilege	11336	msiexec.exe
Token: SeRestorePrivilege	11336	msiexec.exe
Token: SeTakeOwnershipPrivilege	11336	msiexec.exe
Token: SeRestorePrivilege	11336	msiexec.exe
Token: SeTakeOwnershipPrivilege	11336	msiexec.exe
Token: SeRestorePrivilege	11336	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
6080	SteamSetup.exe
2252	steamservice.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
2900	firefox.exe
4160	OBS-Studio-31.0.0-Windows-Installer.exe
22088	VC_redist.x64.exe
22596	VC_redist.x64.exe
25296	VC_redist.x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5948 wrote to memory of 1036	5948	msedge.exe	77
PID 5948 wrote to memory of 1036	5948	msedge.exe	77
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 5200	5948	msedge.exe	78
PID 5948 wrote to memory of 2548	5948	msedge.exe	79
PID 5948 wrote to memory of 2548	5948	msedge.exe	79
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80
PID 5948 wrote to memory of 4864	5948	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb23ba3cb8,0x7ffb23ba3cc8,0x7ffb23ba3cd8
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,6489297703271624467,3548517776530554011,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,6489297703271624467,3548517776530554011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,6489297703271624467,3548517776530554011,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6489297703271624467,3548517776530554011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6489297703271624467,3548517776530554011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,6489297703271624467,3548517776530554011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,6489297703271624467,3548517776530554011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6489297703271624467,3548517776530554011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6489297703271624467,3548517776530554011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6489297703271624467,3548517776530554011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6489297703271624467,3548517776530554011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6489297703271624467,3548517776530554011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1928 /prefetch:1
  2⤵
  PID:6128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5896
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa6ae25f-5819-40ba-9b05-ec20d20d9bd2} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" gpu
    3⤵
    PID:4700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {766b9cef-6c23-4e7d-9ed4-c1fe97f1b35c} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" socket
    3⤵
    PID:1432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2828 -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3184 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0ad9873-300b-451a-a4f7-0948794e0af2} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" tab
    3⤵
    PID:3996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3856 -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3492 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29f02597-dab1-4a2a-80c4-c4a75a0836cf} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" tab
    3⤵
    PID:4968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3528 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4532 -prefMapHandle 4504 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a98e4c8-3229-4373-9c96-2b58ed9efd8d} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" utility
    3⤵
    - Checks processor information in registry
    PID:5164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 3 -isForBrowser -prefsHandle 5556 -prefMapHandle 5532 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd5b7d69-0010-4a22-b0cb-0e2d7ffbc66a} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" tab
    3⤵
    PID:4756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 4 -isForBrowser -prefsHandle 5696 -prefMapHandle 5700 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {494e4ad1-e41f-464c-a494-9b5837bf149e} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" tab
    3⤵
    PID:3472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5872 -childID 5 -isForBrowser -prefsHandle 5880 -prefMapHandle 5884 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b399d3f-44ce-44ff-a3e4-6eeaa8b12564} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" tab
    3⤵
    PID:5428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 6 -isForBrowser -prefsHandle 4220 -prefMapHandle 4212 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30ff805e-1e4f-48b9-ad86-02d68b57ce3b} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" tab
    3⤵
    PID:4768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6220 -childID 7 -isForBrowser -prefsHandle 6372 -prefMapHandle 4420 -prefsLen 28244 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {774ad550-c797-4e48-a071-9098ff20f04a} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" tab
    3⤵
    PID:1576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6756 -parentBuildID 20240401114208 -prefsHandle 6700 -prefMapHandle 6372 -prefsLen 33809 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8dfaef7-d6f0-4c09-8a69-7f2c8798ab9b} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" rdd
    3⤵
    PID:5620
- - C:\Users\Admin\Downloads\SteamSetup.exe
    "C:\Users\Admin\Downloads\SteamSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6080
  - - C:\Program Files (x86)\Steam\bin\steamservice.exe
      "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6360 -childID 8 -isForBrowser -prefsHandle 7884 -prefMapHandle 7848 -prefsLen 28284 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11ef4a22-de72-4b66-b97e-77ed8b53da80} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" tab
    3⤵
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6088 -childID 9 -isForBrowser -prefsHandle 6040 -prefMapHandle 6036 -prefsLen 28284 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb5e4362-61bc-415e-89b1-f757fa4fb208} 2900 "\\.\pipe\gecko-crash-server-pipe.2900" tab
    3⤵
    PID:6012
- - C:\Users\Admin\Downloads\OBS-Studio-31.0.0-Windows-Installer.exe
    "C:\Users\Admin\Downloads\OBS-Studio-31.0.0-Windows-Installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\nsxB20F.tmp\check_for_64bit_visual_studio_2022_runtimes.exe
      C:\Users\Admin\AppData\Local\Temp\nsxB20F.tmp\check_for_64bit_visual_studio_2022_runtimes.exe
      4⤵
      Executes dropped EXE
      PID:21536
  - - C:\Users\Admin\AppData\Local\Temp\nsxB20F.tmp\VC_redist.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsxB20F.tmp\VC_redist.x64.exe" /quiet /norestart
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:22088
    - - C:\Windows\Temp\{F02CF7A7-E24A-4BF8-9BE6-FD88901ECCE6}\.cr\VC_redist.x64.exe
        
        "C:\Windows\Temp\{F02CF7A7-E24A-4BF8-9BE6-FD88901ECCE6}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\nsxB20F.tmp\VC_redist.x64.exe" -burn.filehandle.attached=584 -burn.filehandle.self=592 /quiet /norestart
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:22596
      - C:\Windows\Temp\{90AF68E8-CE2B-4DDF-A216-C41BE1CB47AE}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{90AF68E8-CE2B-4DDF-A216-C41BE1CB47AE}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{DB97EC95-64D8-40E2-9A7B-9B8F7B70BAA9} {AC09F536-C073-4B1B-A1F4-A20AC3D714F2} 22596
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:25296
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=1312 -burn.embedded BurnPipe.{5D7FA1EF-4A2C-4E0F-A657-6DC9385552C2} {0720944C-1B39-4507-ACB5-EC7706D13A49} 25296
        7⤵
        
        PID:20028
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=576 -burn.filehandle.self=592 -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=1312 -burn.embedded BurnPipe.{5D7FA1EF-4A2C-4E0F-A657-6DC9385552C2} {0720944C-1B39-4507-ACB5-EC7706D13A49} 25296
        8⤵
        
        PID:20064
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{B71F8C66-3E3D-4590-8210-32CEE349DD63} {DC072D55-5039-4F4D-9FA9-2BC0BCF9C529} 20064
        9⤵
        
        PID:25048

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
PID:5516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:16244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:25636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:11336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5e251f.rbs

Filesize
19KB

MD5
4655f4bc81b5fdfbe099846a5baa82c4

SHA1
4a11dbe8c7ffc18992cd759c40874f53820d5bcd

SHA256
71e552389068e3e4fd5f9ab836a1bdd57238ead305ed479a66ab900a295d8a94

SHA512
4f01958a207761841cd3a4c91c11131a4d3365a157e76c3abfeaa770fc2a9648cad6937b8df7289a0845401b2e23dc41454fe2fde932efd425312fe7c8b29d25

Download Submit
C:\Config.Msi\e5e252b.rbs

Filesize
19KB

MD5
0077125698c3819d5b26692f26480fcf

SHA1
e00bd326bd3458a726b19683264546f4f7b9a01c

SHA256
7c62aeca8b705eecbe0e994ca96c2575ad4281059c3d4b6c362abef257911bcc

SHA512
975c0b20a68cb03a861792b0f96a57dfc71c0c6990254a425b4635ab412bf772feb86918f340ad6a8d8537dcfbc8810824fcc2ce8db4f6933da8b2a14df83490

Download Submit
C:\Config.Msi\e5e2532.rbs

Filesize
21KB

MD5
4164d9edc93c62b6fa153581bb44b55e

SHA1
e39834b0b85ac8a2219bf08094665a0e8f9ec20a

SHA256
099acc707aa6b2def19ede2fc84d51a1320f974ca52520fe8d18f1eccb659ae6

SHA512
6d99342fdb2eb13d4301f02445c3f2f3f65f4aa9b9406687c41d989133045f0ab3702dd6375b7f61f9304ba7c3bfb19538409222688a8c376c2f18a4faa91b0c

Download Submit
C:\Config.Msi\e5e2541.rbs

Filesize
21KB

MD5
74147de9b6c86edec6754b52f83674c6

SHA1
b2c8cace868fd3a6dd2652d39a32e94f71f8d0dd

SHA256
2dce14323a0d79c8f9a323d3da65e469ec87e05f751bf3ea96662ca0d68146ea

SHA512
ee8d5489973bb229ce2f2283b93cc095f58655f270ebd45fdf7d31035e61e631310ef84a01868225249a1a05902718423420f0f19f84432206edfb8f8d00b4e0

Download Submit
C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.5MB

MD5
ba0ea9249da4ab8f62432617489ae5a6

SHA1
d8873c5dcb6e128c39cf0c423b502821343659a7

SHA256
ce177dc8cf42513ff819c7b8597c7be290f9e98632a34ecd868dc76003421f0d

SHA512
52958d55b03e1ddc69afc2f1a02f7813199e4b3bf114514c438ab4d10d5ca83b865ba6090550951c0a43b666c6728304009572212444a27a3f5184663f4b0b8b

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
0340d1a0bbdb8f3017d2326f4e351e0a

SHA1
90d078e9f732794db5b0ffeb781a1f2ed2966139

SHA256
0fcd7ae491b467858f2a8745c5ecdd55451399778c2119517ee686d1f264b544

SHA512
9d23e020875ed35825169a6542512ec2ffdb349472a12eb1e59ddc635e57c8fd65fa919873821e35c755aa7d027c9a62d3d0fa617340449d7b2c4cf8dd707e93

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
4c81277a127e3d65fb5065f518ffe9c2

SHA1
253264b9b56e5bac0714d5be6cade09ae74c2a3a

SHA256
76a6bd74194efd819d33802decdfddaae893069d7000e44944dda05022cfa6d9

SHA512
be077b61f3b6d56a1f4d24957deaf18d2dff699bda6569604aac4f1edb57c3cfd0abc5e2a67809f72e31a90b4aed0813536c153886da2099376964c60e56001a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
2158881817b9163bf0fd4724d549aed4

SHA1
c500f2e8f47a11129114ee4f19524aee8fecc502

SHA256
650a265dffdc5dc50200bb82d56f416a3a423eecc08c962cfd1ba2d40a1ff3f7

SHA512
f3594aad9d6c50254f690c903f078a5b7a58c33bd418abdad711ebb74cfbdb5564679593e08fb2d4378faaf4160d45e3d276ba1aa8a174ed77a5791bcac46f28

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
da6cd2483ad8a21e8356e63d036df55b

SHA1
0e808a400facec559e6fbab960a7bdfaab4c6b04

SHA256
ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

SHA512
06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
9e62fc923c65bfc3f40aaf6ec4fd1010

SHA1
8f76faff18bd64696683c2a7a04d16aac1ef7e61

SHA256
8ff0f3cbdf28102ff037b9cda90590e4b66e1e654b90f9aea2cd5364494d02b7

SHA512
c8ff15373b37e848e6239a82424569e77c82a5fc557d17e7d2ed1d0d2b2f7d026cc1e2bc98cb5ee945c02cfefb82803c23fa6a26f48ff0adcf762f94cd5dd035

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
10c429eb58b4274af6b6ef08f376d46c

SHA1
af1e049ddb9f875c609b0f9a38651fc1867b50d3

SHA256
a1f6ba57ee41e009d904905c0ce5e75a59ee6790e08542561303109e1faafa13

SHA512
d8760f61760bffd8671b727d386ae220e7e6e68829a01553cfd5eb60ef8bd1d7c1b25e7b17a6db5bd17ba6712ef44999726764459318e784843c73bc4facaf46

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
5c026fd6072a7c5cf31c75818cddedec

SHA1
341aa1df1d034e6f0a7dff88d37c9f11a716cae6

SHA256
0828572e4fa00c186dbf1d9072a6154d65cb499c6a37e338f3305f77a2fee382

SHA512
f9d28714b2a05f8d9025f1692e4d7e8baa6daf6176353f65646a38814a242ef2adededa44419edd69f10cf96ffba506dab7cb6e52111457bf69cffef12174b12

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
189ba063d1481528cbd6e0c4afc3abaa

SHA1
40bdd169fcc59928c69eea74fd7e057096b33092

SHA256
c0a7a1df442ac080668762df795c72aa322e9d415c41bd0a4c676a4dc0551695

SHA512
ce59ad9b17bab4de1254e92ce4fe7d8c8242832f62ab382e8f54199a9932cd11b5800cc33895441426373d5210cc74104e0271b721a7e26ed400b716ae4d5903

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_indonesian.txt

Filesize
4KB

MD5
1514d082b672b372cdfb8dd85c3437f1

SHA1
336a01192edb76ae6501d6974b3b6f0c05ea223a

SHA256
3b3c5c615fd82070cc951ab482d3de8cb12df0b3df59fbd11f9d3271fa2fbca4

SHA512
4d41c945ce7c94746875b0dbceb14811d4966de4e97fe047406a304162fde7e1e2a16367fc2e43978e2e5aa66749f036b4444aa2312673c2cc3af296e8b77f55

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt

Filesize
4KB

MD5
202b825d0ef72096b82db255c4e747fa

SHA1
3a3265e5bbaa1d1b774195a3858f29cea75c9e75

SHA256
3d1399f5323a3ece1b1a8b3b31f8fd7f50c3bd319ab3f1c38c6e347452c95314

SHA512
e8fc7cc09f431301d22a07b238179ee053505090e3c4db30ead061513fe7159f1fe8b80efc93f4597fe00f01087bbe0bb2231e13693d72c8def138657cb91566

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt

Filesize
4KB

MD5
7913f3f33839e3af9e10455df69866c2

SHA1
15fa957d0a6a2717027f5b35f4dbe5e0ab8ece25

SHA256
05bc1f4973c6d36002ac1b37ce46b1f941fcb4338282e0ec1ec83fb558d1a88c

SHA512
534e541757d19ee157a268bf7ea358b48015f400542fcfa49cdb547cd652926160f015fe2cf026d9c4996e56ab90ca3899dfd457997d915bf6bc9d7bb00ba804

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt

Filesize
4KB

MD5
58e0fcbee3cca4ef61b97928cfe89535

SHA1
1297e3af3ca9e4fe3cc5db78ebbfa642e8a2c57b

SHA256
c084a68b65d507eb831831aa2ab9afb9536cb99a840d248cc155ff87fad18425

SHA512
99aff0c481e34cd0e4fcbb2af471afb56d91aa11be664462b08e17ae169ca03ef77e7063b4ecd0f38ca7b2f6dc0bf2e316c7b31dffbbcfc763cd8fae27dc78d2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt

Filesize
4KB

MD5
9b0b0e82f753cc115d87c7199885ad1b

SHA1
5743a4ab58684c1f154f84895d87f000b4e98021

SHA256
0bdeee9fa28d54d384e06ea646fbcfe3f06698a31dfdc1a50703ffe83ad78d32

SHA512
b7780b82fbe705bc8e5a527c011eb685c99ef0b2eb810617b9f82b891341af95ef1c2f46dce9e458c0c4dcc3e7a0d21db6c77f03419cd1c4b521a9b72f9017df

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt

Filesize
4KB

MD5
eb8926608c5933f05a3f0090e551b15d

SHA1
a1012904d440c0e74dad336eac8793ac110f78f8

SHA256
2ed2b0d654d60e0a82b0968a91d568b775144e9d92f2b077b6da75f85ad12d04

SHA512
9113c42c38836f71ff0cc7019aff8c873845f47fbf1ab97e981cb038f4d8495b6df784402b1ee9666e8e567ae866b0284c81e6a16efb47131d5ef88569c4843a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt

Filesize
4KB

MD5
6367f43ea3780c4ee166454f5936b1a8

SHA1
027a2c24c8320458c49cd78053f586cb4d94ee6f

SHA256
f8d1972e75a320344e3c834ba0a3a6a86edb39e20ef706bda9b7965d440d1998

SHA512
31aab33e0d272cb43a8c160b3d37256716a683e5052192fd0e4d3cdaf30a10a9afa9d26d5d14ad216ee455627c32892a711d2bc137ee7a7df9a297f001a19e32

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt

Filesize
6KB

MD5
e04ad6c236b6c61fc53e2cb57ced87e8

SHA1
e9d4846b7e6cc755ee14a5d3fa45ee7d3bf425a4

SHA256
08c775efa77c2a92d369f794882e467b6e2526e61bc7aa7724f48e174524502e

SHA512
0dfb7e6d811d649103499018f3d115c542fcaba420ceb69124a4d837fe162ce514e7be2040860c5ef5f9c01c961fa6eea8730606b73ec107d87597989b6fd331

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt

Filesize
4KB

MD5
56dcf7b68f70826262a6ffaffe6b1c49

SHA1
12e4272ba0e4eabc610670cdc6941f942da1eb6a

SHA256
948cad1bb27109e008f2457248880c759d3fa98b92c5b4033b94f455cb8ac43f

SHA512
c3fd9caf0bd4c303a7cc300faada9cfe6dd752e82d67625b31f4c0c2c091596508bb477fe19f758fdf79b25b8ac3f5320a8785d2b6705b9bcc28a054a59454e2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt

Filesize
4KB

MD5
66456d2b1085446a9f2dbd9e4632754b

SHA1
8da6248b57e5c2970d853b8d21373772a34b1c28

SHA256
c4f821a4903c4e7faea2931c7fb1cf261eba06a9840c78fdca689f5c784c06c4

SHA512
196c2282ba13715709ece706c9219fe70c05dd295840082e7d901b9e5592e74b1bb556782181cdbe35bd1ab0d6197fef67258b09491fabc6f27606dbed667d49

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt

Filesize
4KB

MD5
b2248784049e1af0c690be2af13a4ef3

SHA1
aec7461fa46b7f6d00ff308aa9d19c39b934c595

SHA256
4bf6b25bf5b18e13b04db6ed2e5ed635eb844fc52baa892f530194d9471f5690

SHA512
f5cee6bba20a4d05473971f7f87a36990e88a44b2855c7655b77f48f223219978d91bcd02d320c7e6c2ec368234e1d0201be85b5626ef4909e047e416e1a066c

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt

Filesize
4KB

MD5
194a73f900a3283da4caa6c09fefcb08

SHA1
a7a8005ca77b9f5d9791cb66fcdf6579763b2abb

SHA256
5e4f2de5ee98d5d76f5d76fb925417d6668fba08e89f7240f923f3378e3e66f6

SHA512
25842535c165d48f4cf4fa7fd06818ec5585cc3719eff933f5776a842713d7adb5667c3b9b1a122a1152450e797535fc7a8e97ebdd31c14b4d4900a33ede01f3

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt

Filesize
7KB

MD5
53f7e8ac1affb04bf132c2ca818eb01e

SHA1
bffc3e111761e4dc514c6398a07ffce8555697f6

SHA256
488294b7faff720dc3ab5a72e0607761484c678b96d6bcd6aad9ee2388356a83

SHA512
c2e79c2505a6fd075df113ffce92ad42c146424ca39087601daa4ed15a2b5528d478a093921d9d8a738c7b6b963275a0693ebe526b6e2135d14ced03639d0e70

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt

Filesize
4KB

MD5
29f9a5ab4adfae371bf980b82de2cb57

SHA1
6f7ef52a09b99868dd7230f513630ffe473eddf8

SHA256
711675edb20b3cb70acf6cf75f2eea8e0d87c8ace3e11c8df362b4517427a34f

SHA512
543fe63f791250e05e8fda24fd2ceadebb4c8925e8927de49ae490895c87eed3e61a9ad50237532649f99fe3165836261de215ee3f66ffbfc6d677ddeea7732a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt

Filesize
6KB

MD5
cadd7a2f359b22580bdd6281ea23744d

SHA1
e82e790a7561d0908aee8e3b1af97823e147f88b

SHA256
3dd0edfbe68236e668fb308f92fe7c6493dbb05bfca85a48de93588f479ccc99

SHA512
53672dd13e6ccbe96f6d4a61297c595b6d6cba8de92caa51ccf8ab1d8a82eea5a425eab348f295b9ec27de0026ef849d9230f751a46e040be8863923f91b8519

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt

Filesize
4KB

MD5
f350c8747d77777f456037184af9212c

SHA1
753d8c260b852a299df76c4f215b0d2215f6a723

SHA256
15b6a564e05857a3d2fd6eec85a5a30c491a7553d15ffc025156b3665b919185

SHA512
efb86809a0b357b4fcd3ba2770c97d225d0f4d9fb7430c515e847c3dd77ee109def4bef11b650b9773c17050e618008fc03377638c1db3393ac780b5b0bc31b2

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\nv-filters\locale\en-GB.ini

Filesize
1B

MD5
01abfc750a0c942167651c40d088531d

SHA1
d08f88df745fa7950b104e4a707a31cfce7b5841

SHA256
334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b

SHA512
d369286ac86b60fa920f6464d26becacd9f4c8bd885b783407cdcaa74fafd45a8b56b364b63f6256c3ceef26278a1c7799d4243a8149b5ede5ce1d890b5c7236

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\obs-filters\color.effect

Filesize
3KB

MD5
4acb6776b331a70950ed97371ecc5e63

SHA1
356bd8a1a32f99ed9ed443451a1373e3f2a5243a

SHA256
868404f54ec1c0b4771dee7a139a40baf2f9e5fffa43baf3fc8e60fcd03023a3

SHA512
a5e483a85192db013aef81c2dda70a8ab8691140bad3b3b624a5ec8ae0e5ac215b4b02606712da825719086556ef11df5f41150138a70bc856adb23352dba126

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\obs-qsv11\locale\oc-FR.ini

Filesize
18B

MD5
0ebd4c9db48f04f789e6254a92af4b97

SHA1
45f98976d001a97e4b18489cb73cca2aadcb1cf3

SHA256
54550f5495ca78de8ab1b4d32ddec042077823cb5654808e9f9f003857125450

SHA512
9b3ca441b80f23ff89094175bca2a2647d76e38277830420e933935a631a82ee010743410b632078750f4272cdc6b3362a56649ce9694a2c712367e0ab7f0e21

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\obs-x264\locale\nn-NO.ini

Filesize
18B

MD5
8d11d8d5f894ac1ee8c551e9133c2e55

SHA1
10ddd90b51e5829b453c8990a7a7113757ce1ea3

SHA256
2a350d4fafb4a2c11614f7cb1bd9e59b305f1bf7446498ef11bfc6e8f25c12d7

SHA512
9e511850b7dabebad73e30508016dbcfdcc5f486bd06f12246f6a3ea0ae470f8a2e7ad20b924875961ec4c0ee10024e50dd4357189708d75b7ab190b58eb698c

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\win-capture\schema\package-schema.json

Filesize
1KB

MD5
cfc8555dce7c954555346ec0ef15fae8

SHA1
da1983d90d8bbbd3eb778ebb92d45427f1b35f41

SHA256
524437addbda00d3a64413b639847211054905a959786a4a5609fcbbb1f101f5

SHA512
4add0e8632568a665d640f63ec9eb992a3f50a21675883d48d26e784caf8b25c4bf6de706c2ab705fdad325adb02cd681779eed632976dfb042caa88a16d390d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2333807308be788aec2ce8b04aedbf9e

SHA1
fdbac56e094f4ed2351e4e5fdf5a9612e85b07cf

SHA256
f1591f869d09b1dc4ff3ab94ce43c170464b727c60d02ca34b2d4a24de955140

SHA512
31edc0f1d5da1ac9b0d02d1ee83f0edb2d9f0b6ce9efd586a0d9f8dd3eea9066c269e932bb5e1a2648611fa79d1734868eb4f1f13f4556e0db3a32f5f86e1c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d69a45233c0d6987d40f467fd7dcca2

SHA1
c24826d222615ed40f1ce6982766d41f4b16e358

SHA256
b7f4ff17dd2f51cd1d51c1547c94b4612e2aa9bddc1a3d8015ef4672b629583b

SHA512
5f5291fed91d2feca3951611b54c8612f6925146440cad38b9f627d3d9f2de3bb2d3e5b3896c6a96ec849cea17ff4fc38ac511b71db11f7dd68aa2473666dc3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71b33b2a4a0b05da93e304e4c49b4abc

SHA1
fcb09d25a925744f701f8bd17d17cd3274de65e9

SHA256
4a254ce57f4e8744463182a1c4486f8113e212b7aca6d8b1af510ae738bfa328

SHA512
64200f48534fb5b0d4007c228f8013e4c48a90fb693d555b60b3ff95315013a4fb12f20e2f589257b4cdd8be71b1b315a2607339b67da4026921cc8c2925a7d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1f8e98ddec0d32bfe633ee98c86d28f2

SHA1
41426aa8e76c2b88e2c78e05ad6cea56bee99e4b

SHA256
8f93ba70b4fad6abce2c345c7d150e8a54c829a0f41768ae6992e9ec8626ece1

SHA512
8090168a6c3ecb5068452b6c498cdbacf262fcbb041a30b1f539c2003bb9dc0576ceb67d26d2248d057eb599e504bf4cfc561df90122a4e2dc39cb33cf01af6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
48725aa6a740f5203458d338a895ccf6

SHA1
3415d16593f46216e6e732e670ad698ce32063f0

SHA256
b6d5c75fa1d9a69c105997394afab9302e0ca76517be70a7d586ec9f859787ae

SHA512
b8a12c13bc82d174f871e00f09105a2ddf14ba9eb2dee1107dce777ed83393e497944c55f9ca0e1e8373300d1253243411cbe43c39bbe16c1bb096b540831f8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1e91162d49912f1742a9b4479555f59a

SHA1
32fce763953bcf8669e805f8066220ac685dff9f

SHA256
de1275ccaa9c917adc51e839cb5f6e82a15b1d0011685db296c1f0a32d910ec2

SHA512
028170a7fc0fbce18b63687bf625f280006a6d9456186ae2f60f3cca57726738bdd1d9831c6517d983e89d58ce68d43a7e6961266950e5122e73c597bef63a00

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\cache2\entries\586D25A03895848B0609C1B0C9097200E0CF65C6

Filesize
61KB

MD5
55977211e6cef80fb26a0480b3360342

SHA1
d64293be6ebb2331175c9217c0293eacf0fda58a

SHA256
7181e1e539bdaa1caa5cd0cae24fbf3e4855d88075c85a7b57cdff48294b48b7

SHA512
503351e92ca61d575f24184a3333627798525401c62104315779af1adb922af0731da31239dc80a926fc48085a541be8517c58a18a4d863c677ee8c0d82d144e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA4AB.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA4AB.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA4AB.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA4AB.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA4AB.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA4AB.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxB20F.tmp\InstallOptions.dll

Filesize
15KB

MD5
d1eefb07abc2577dfb92eb2e95a975e4

SHA1
0584c2b1807bc3bd10d4b60d2d23eeb0e6832ca2

SHA256
89dd7d646278d8bfc41d5446bdc348b9a9afaa832abf02c1396272bb7ac7262a

SHA512
eaffd9940b1df59e95e2adb79b3b6415fff5bf196ebea5fe625a6c52e552a00b44d985a36a8dd9eb33eba2425ffea4244ed07a75d87284ff51ec9f9a5e1ac65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxB20F.tmp\OBSInstallerUtils.dll

Filesize
426KB

MD5
e1f825260e7224ef0526514754f7d0e8

SHA1
553d67289b039ffea5d8b59f509b9265dca2ba19

SHA256
1d84aa191fbbd842d5eeed302195579de1256a9acb980308bf31a631ac01e530

SHA512
b9453eb4ae6edbfd86e438ed0825725ab91100b8403a933bb0e359703be462f6d3d37f8bfb32eeae375a46512c619370f9802925ae0d8898f540f933b05b281f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxB20F.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxB20F.tmp\check_for_64bit_visual_studio_2022_runtimes.exe

Filesize
10KB

MD5
9baff51bb8539498c81d0c2ed0034d9d

SHA1
e85ff796a54221f723ad36412329d8c650b7717f

SHA256
b324a6025986306656fc2a03d0a3e9ed5917dfa7cf14fbfca888d65b39822074

SHA512
cc4008bb5586840c1f031f09ce04904b22ae5ec43c3331586593fefffa22725c076835627253d6aa0468fd24124068603b82eb45490cf96e20a6c4f1d5472576

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxB20F.tmp\ioSpecial.ini

Filesize
1KB

MD5
059ab4ff0dff3e6ff883ba76d832b15a

SHA1
160482ef11218e73b1423fc013ae6fbb71620557

SHA256
68babe2865f12599477351e3b6d84247475e904906af1f110e7f426f60e554ff

SHA512
04eea25a21bb817ed49d4c57574f852a46affb6c0de07d0d41693833e4a39beeb062651523cebde27bdb47d3e9c3a5a6663e6b738e21a7de91c1857a98088c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
dc82366b8f83a00b1551d67deb25b090

SHA1
db5ca3667b74f2cd12350ebdd638fc9234f83bc7

SHA256
c83c48346860b7bad1118740d45bf32998060206e073a8cc4ed2559e3e5a774f

SHA512
61b2c52a6aef8c42b294a06dccc7005e445c7c964a24ff602f865b96b643633a70eec31c8c66e8d4357a0390e490997c50c3ecf82942cdef2d31ca3686f4d1c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
17KB

MD5
29d07516e8f1639a2cb207b9b7c84f4f

SHA1
fe231d01bb3668699ffd8aadec27c798cfa183ba

SHA256
116f1bd68d9ab5c7dd5e92a203cf18e668b5e59d8d8c5b9fe795bf86867ae8fa

SHA512
1a348e2230ce8c1a6affcedb8f94681406c59d81ff546a9d50080d5f7faafe66f6d2d58c763e8443b98f93e2cd933164b1980513075d48ec8da1483f97a3b07a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
b1684b159d8ce25dc6b3048cf8c8bab1

SHA1
0dab12762809c4ef6a380af44748c0dd3c42ec6b

SHA256
4427f932d43010b235d17fcee2518897f4d4c30e5383672c2af3add5828cfd75

SHA512
e505154dae4e011db4e7e2e8800b0dff8fe290861e87082a742c582d3e355546c4c6998424ee3f19af2bb5ea69264510587dd48726167fb35b5d2006e10caeb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\AlternateServices.bin

Filesize
8KB

MD5
8842184daaaa47edd90c4aed297899b5

SHA1
9ac8e4f88ce59e5b18933e78db1a819c7c6f4f41

SHA256
0582e21339f04eab207dc28aed9adb5c5a7bbd3f2631ecb3fad20e46e37c9fbb

SHA512
b337229dbeddafc993e3be741240f183b81de62de73d5ed16f92273ac0c90cee22953fe7ded7fa6c2b73116ae4bccff3394d083f21e5c93d874cacceee3ad60a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\AlternateServices.bin

Filesize
12KB

MD5
96584c1c0badcb5251581946d3b1aa03

SHA1
83ed968018c65ee11a49db7a06c65844ba5fe41f

SHA256
88d4d0fabf0e2da45735c659d358ad5d9add609cf086dafabd9d7bdc2952231c

SHA512
457d8c6139313057f0fb4f119e271c4df607cebddc4281fa407cdf088548a1ac18e1a257f26d922824339907423148f29eafd5e0d4e04215bd74f33c1f3d607f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
93be40c282902e145e14d78ccee791d7

SHA1
d21ba9fa21ebca86f76405d8622ac4a552ec7360

SHA256
7797e0135a51aa950230c73885268530b79a528c5a0ca6f7167084be4b6bbbde

SHA512
995c73038f6fbfdf57435dec694305b98447d36a9250b3a653b7532dd8bf00457b9fb1344cce1e1335cf4a39da8fad839562778fb80279b27204f57b84f5645f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b92f8915b6456348b14084262c930504

SHA1
ac8964a7950a0544c94b1f5fc6e89331a12e2f02

SHA256
69a6b4f7679eef11e8c60f6d97d7ac71ca22542a865a1ce68e3e34eb925ade95

SHA512
41dd0ce7617acfdb3d9033a963d0bbb1e73e62b6ea2c3b5e116238114a9c41de3808670be2b21335cc739542c610504131c46f777e821153de75e51fcb12a97c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
4efb06748b33b97569f7a1204485ae1d

SHA1
6ef0b851466187a1492739e2bbb35c9d4af5cdae

SHA256
d37b88461b5a40f0b393a82e6388146e53dd8afade38be2b36d8592f75aa7afb

SHA512
46d2526d2296ddeb3e5ddedde42d98957d7d98c5059392aa20bbc8c280fcaec03b7ed938784f8a5e050912ce014dd196da79b2cc5495249aa472b330db4b03f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\pending_pings\00df42e5-a4d1-49e0-a295-3ba36bdd4fa2

Filesize
671B

MD5
e704b509e3222af273c5e40352d94632

SHA1
a00af7fe6076bd0a723ab6bd23e6651646f6fa56

SHA256
dd73cfd7dffee33719ac6ec57fe6e9a47f8ce10ac6adf8c574d5d3f9fb765c1e

SHA512
a06a61cd23934e6df7e49fa4fd2f10b6126b2d3a070963364ab73a191652245d8dadf3f1935cb04ae0db6c593ad0796a616dc95a0f8c39abd1444d352e74fd7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\pending_pings\459356a1-dfe9-430c-8401-c33ff32e8767

Filesize
982B

MD5
4599cac892cf6b76fd228757cfdf1709

SHA1
90b2f98257ccc5e2b056aa0da9ccda27d3e3c987

SHA256
509dd9a0160456481f7216c2f650332d5548970c787171e7eb0a71c2f6dd6c55

SHA512
2af0a70eabce5e179a65d0b175a23d825604cd8227cffc85c00f8ad83c19e5f79d76492a65f1f9e77abbbbb9bf70285e2a5c87b69ac9551cca952ada9b95e153

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\pending_pings\45b30a76-9e77-488c-8703-325932dc05cc

Filesize
846B

MD5
3954073a1cb16a8d60e24557fff0ec1f

SHA1
e771314693ea02d167d8e78dbfb444337efca0e6

SHA256
88a5825e263c3cda54146d837aba84012d15190073bd9c1292d75e696875cdcf

SHA512
d12c3f3a3672c9ad46e01af5d9701af11483b3639ec228905c4d3a2e934c4aa1a5ee2233627ffbde38b4ba0c89f529e4a527ab120fd59e240a2ddb0721e96e70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\pending_pings\9eefdf8d-fd71-4dc2-9289-cca331dcccd2

Filesize
26KB

MD5
cddcb61d0f3532c9bbf6f3354050fe51

SHA1
3c02c48652f604ba03b37ac79002a16f14474ac1

SHA256
1a91d33aafa1f277be34871c4fc7fd9e12f1d82890e9d862a168a90ab8ae0e0c

SHA512
aa782f56e47e98c3eac20dcc8e3359451b1d2428ae53809498bc92eadb133cc49e9f2f9712627c5ff0bb0ca4e86778ff2a00411677a57c8ff44344223e6fd7ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\datareporting\glean\pending_pings\f7a6da06-f34a-4315-8675-43dcb69a942d

Filesize
2KB

MD5
78d26af4040cc60414be66e12e912a06

SHA1
76e0a11f9bf5478da564ac42f2486665ed055351

SHA256
62a6e30441088f3b8e92485d7a6a67946eeb97834186014054ce4f57a0fb881d

SHA512
d1a30eb0b2a78fe49f23ed95c4a0b3442643bf1487951d66d4aba02011ca303100c3dee3dcd0ac399f7e7a4161b5db1d08a98e85b61a5e2801141cb737d0998c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\prefs-1.js

Filesize
9KB

MD5
fb5fa0feb0fcdd5d1b7b181bf96cf91e

SHA1
5876d7790d6f14bfb6e26c1609013c449d325d3a

SHA256
d5ea0012bf81f20ea075b97f2e36b3ef6c449aef066dae2e0f973c7ef21bbb3d

SHA512
ac092470ef57415651b4cc703db9c08c124e988bed31e0a0d8532434d1b6b57a6b1a5d621d813daebc34f72473d8a18e267c5004b842eead31b9a70be9b159f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\prefs-1.js

Filesize
10KB

MD5
e51eaf137c57d22e7aeda01466e9eb33

SHA1
bc37007b01e515f0acbd0fbb16fc2547bf0f43a8

SHA256
0530c552f0ccf51b56552a5693b2a7383d1b48d8dea15f08d7d3e7dba5891a85

SHA512
d89b22772cd4a5eac9bcccbc21911e6a132e5c5f7c26cbc9cdf849e5492ac87f0ad3a85d9600378fc07168b3c0b92707ac53a81727d54b53185e4dc46d7f4933

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
1a5c443ffb6aa07bb69f417415fa49fc

SHA1
f5a18227801f4476564c03f3c9b201922d1670bd

SHA256
b264f8df9de9e2f17aede80d31488fc5d72c4710912a1f25be2fba715b3c5d91

SHA512
30ccbde02511c2d2d75b20aeffc5ace606497073ed441703adf8de5dc1e6e17ad63a924667b5bcc8ec7e9d6b0d0e0252cf11e5babd36981a8d44ac221e637dff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
46KB

MD5
e022238f50e2e4ee8caa6c421dc3957f

SHA1
3c7ad235d74bd4725a27387ecc4295dcb697d8e9

SHA256
6d95c999925405ec9f9f6b24767018cb8b1a3ff8c9b3571a82cc9edac51f2b3a

SHA512
bde91c8c93f3d7aa6c38a52901013de3d50cd3a413f493cb2dd7f9253d8125ec81542dfc2171c3724791b36a9b1f59aa9ffccdf5456c770920e49457d0a7fcb4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
4affd63493cc61686b9a1443619db63b

SHA1
60d27edd240bf91bb3a7f2f70dad3ff34a3c6b43

SHA256
1edae779ad8f0d4272b5c2a667b84f6adcc15b9f26d7e711e86f7211cc317fb7

SHA512
586874cbd4c9f88a356314d9da534d821b0e5ee8387bb747bb19d9b735120c7a6384ad8ae100d263efe136e1cfa774627bbe952f5aa0105a3149d7f3a46ebcb5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
48KB

MD5
81f15a34f9addd329614d322e96b0c88

SHA1
361bb636a31a5beb0dd587c49f56f0bdc9e5df99

SHA256
b81e55fc438e68946e4bded982f21c2615556e11f0c250e8e89051ac52f21a7c

SHA512
325cc22d95d13b668456a284ab626cd0c7ecbc0da2a5ab885b2a558a14435eb1e7102aaf559b8c55642514689a991dc1cc3432f676973a1f1bf7ad1bbcfc99f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
e80bcf2dfd4660ee801efbb68e162bc0

SHA1
9d04c8928a7a4bcfa01ac0ff23681bef42126c84

SHA256
5c923f7d865e756474cee9cf38e24282f0c9848179dff705833a9f52759bcec2

SHA512
8dc4c19252abca1dfa68072f4f9dc2094aa7c54e29a60d6fbb6eafe67912c3cd39dfae70e27db3e9277d49d1ea3eaceca9ca5cfa51c31f547a60e10b6ef5c452

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
1e1cba65c3d4966a8d6d4157ded3a05f

SHA1
0aa9323f86ef68fa23cc88193cd55ff3831466fc

SHA256
06154e328a4a46f25775d192d089cdca297b67a6e8f0cd1f3f0d70bcf55531a2

SHA512
89ef16e4b06a7cb3e285518bd260482de20dd9f7efa5c79c94633aa2e306b500e01c830ef20be5a8fa1db27e818c5a81fd94f3ab95139b2ebda6a57ddf163549

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
5315b4329fdf0673ec8d8e505a59efd9

SHA1
6f39a97c7601150e4dbc800c4b24c203ffab3a81

SHA256
8655ecc6ff6f3675e9954306380fd8872cd1543174d78d727e09d1a8f1ef2d60

SHA512
2819cd56df237bea1345a79509925e4f2d6714466dcf99794dd9d1c93fa04e6bc0b17ef06110524c379f6b07b3ade396883de4c2eb1f53f6cdb537a3727fe5d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\sessionstore-backups\recovery.baklz4

Filesize
43KB

MD5
b3df347f13853f9a24d485c6d7be9191

SHA1
58861396e8c3b50f89002035d405470b099fe40b

SHA256
9dc0e7a6577f4e0107496ca2b0c093257741033f5995bb981715842d88c12ba2

SHA512
684d92b2bcda89774c38f51308772d4b4f59d26d2ce6e4bdedf67b55fa6e3e5b065849a473adb639c350f39a5c1006d057105540e00cc100c66a9d60f7828917

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74uts9gp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
560KB

MD5
f8d25e890b162ac431728b2ebe1a9b2a

SHA1
ab39e89222eb0e0b188abad358fb9d1911850705

SHA256
bd5bf7ae0f6be35f45c4957f38250e095292f36658119d861daa5cdbea89e148

SHA512
224c5cfedfa714235e0910bf2f4f5af76c3a7d8dd43579d74ae44dfae05d2946fb6a927f207fd72831a0c68857e21302b349b3017968bbadd4919ac717ffe093

Download Submit
C:\Users\Admin\Downloads\OBS-Studio-31.0.0-Windows-Installer.exe:Zone.Identifier

Filesize
156B

MD5
f34a6dea69a3bff5ac11de8458cb8457

SHA1
63150a7a12a4611061f9e33cff10c6be5e50073c

SHA256
e4da18a04828afc3eb85ca531b08056480057d5c76b00cbf48fea87946fb8788

SHA512
461fa1172dde86ae79ed52e38af8e11f97260ab72bc5928dbbd5d68c546eb84a6ebb579865061d1815b6403a865cee72e82a5f4c1d0ada16a7fbc0dd70dab3ba

Download Submit
C:\Users\Admin\Downloads\SteamSetup.Zfn3a8gu.exe.part

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier

Filesize
151B

MD5
08099574fcdc80e39b073884dd0afeef

SHA1
c65a4de2d471bbf0a6d7b2e024ba06200028c70e

SHA256
2d5e628b53fa6333f48c97b65f20dbac3af661e52b3d1cc071b6f0b0c5bd2b84

SHA512
724565be26f1bdd9bbf10dc7531015dab0e2540d71c2f688c1a29ab45c83e7d9a21b64c60d8997203ae1000a85ee26a252855591775f0270306bc54fc154b7ea

Download Submit
C:\Windows\Installer\e5e252c.msi

Filesize
188KB

MD5
0d00edf7e9ad7cfa74f32a524a54f117

SHA1
eea03c0439475a8e4e8e9a9b271faaa554539e18

SHA256
e55a6c147daab01c66aed5e6be0c990bbed0cb78f1c0898373713343ef8556cd

SHA512
0b6730fa8d484466a1ee2a9594572fa40fb8eea4ec70b5d67f5910436ee1d07c80a029cf1f8e488a251439ac1121fd0a76a726836e4cb72dd0fe531ce9692f6a

Download Submit
C:\Windows\Temp\{34102D93-EB50-4376-B656-0932C0B7465A}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{90AF68E8-CE2B-4DDF-A216-C41BE1CB47AE}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{90AF68E8-CE2B-4DDF-A216-C41BE1CB47AE}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
ae0540106cfd901b091d3d241e5cb4b0

SHA1
97f93b6e00a5069155a52aa5551e381b6b4221eb

SHA256
8cd998a0318f07a27f78b75edb19479f44273590e300629eff237d47643c496c

SHA512
29bb486bfdd541ba6aed7a2543ff0eb66865af737a8fb79484fb77cb412c3b357c71c16addf232c759d3c20c5e18128df43c68d1cba23f1c363fd9e0b7188177

Download Submit
memory/5516-13625-0x0000000000A20000-0x0000000000ED2000-memory.dmp

Filesize
4.7MB

Download
memory/20028-16038-0x0000000000DB0000-0x0000000000E27000-memory.dmp

Filesize
476KB

Download
memory/20064-16037-0x0000000000DB0000-0x0000000000E27000-memory.dmp

Filesize
476KB

Download
memory/25048-16000-0x0000000000DB0000-0x0000000000E27000-memory.dmp

Filesize
476KB

Download