6ba30ccb757516262cdb2140cd9982a00e94ff30772afee8cb7b236b32f72cd1

Resubmissions

14-01-2025 07:00

250114-hsnjmasngr 5

14-01-2025 06:13

250114-gyz9ya1mhm 8

Analysis

max time kernel
331s
max time network
329s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-01-2025 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

about.html
Size

48KB
MD5

51d97b882b4756d09c48e2fee42d1a1c
SHA1

1277d15c7bea50eb718b20fddbfd8b8c35a49224
SHA256

6ba30ccb757516262cdb2140cd9982a00e94ff30772afee8cb7b236b32f72cd1
SHA512

231d4aa074ade2d50a8c202300cb56ac96ce63d405ef4e1756f678a9a0f792a88b46da3b5e9a7c5822c67da6db7cf79943028e28ea16e5a3869105966af20a00
SSDEEP

1536:WpIuptIusn0wKeIP2vt81vWhFivCvCv9dml2MsPon+X9hJlcCkhDS35R3BigSvfS:WQl81Oh4aalzTQ8YGak

Score

8^/10

steam defense_evasion discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

pid	Process
3292	SteamSetup.exe
4824	steamservice.exe
1388	steam.exe
10160	steam.exe
10256	steamwebhelper.exe
10284	steamwebhelper.exe
10432	steamwebhelper.exe
10572	steamwebhelper.exe
10904	gldriverquery64.exe
10952	steamwebhelper.exe
11132	steamwebhelper.exe
11424	gldriverquery.exe
11484	vulkandriverquery64.exe
11568	vulkandriverquery.exe
13580	steamwebhelper.exe
14000	steamwebhelper.exe

Loads dropped DLL 62 IoCs

pid	Process
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10284	steamwebhelper.exe
10284	steamwebhelper.exe
10284	steamwebhelper.exe
10160	steam.exe
10432	steamwebhelper.exe
10432	steamwebhelper.exe
10432	steamwebhelper.exe
10432	steamwebhelper.exe
10432	steamwebhelper.exe
10432	steamwebhelper.exe
10432	steamwebhelper.exe
10160	steam.exe
10432	steamwebhelper.exe
10432	steamwebhelper.exe
10572	steamwebhelper.exe
10572	steamwebhelper.exe
10572	steamwebhelper.exe
10160	steam.exe
10952	steamwebhelper.exe
10952	steamwebhelper.exe
10952	steamwebhelper.exe
11132	steamwebhelper.exe
11132	steamwebhelper.exe
11132	steamwebhelper.exe
11132	steamwebhelper.exe
13580	steamwebhelper.exe
13580	steamwebhelper.exe
13580	steamwebhelper.exe
14000	steamwebhelper.exe
14000	steamwebhelper.exe
14000	steamwebhelper.exe
14000	steamwebhelper.exe
14000	steamwebhelper.exe
14000	steamwebhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\flag_top.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_l_left_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_dpad_touch_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_ps4_gamepad_joystick.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\Receipt_CC_Alert.res_	steam.exe
File created	C:\Program Files (x86)\Steam\logs\steamui_system.txt	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_110_social_0300.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\icon_clear_field.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\icon_warning_yellow.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\d0ggle.bin_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_button_triangle_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\css\chunk~2dcc5aaf7.css_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\dualshock_4_english.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\trackerui_polish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_r_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_color_outlined_button_square_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_button_view_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_outlined_button_a_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\4_star.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\xbox_one_norwegian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_l2_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_rstick_up_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_color_outlined_button_x.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_dpad_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\streaming_client.exe_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_button_menu_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_mouse_4.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\xbox360_button_select_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\cmnd_magnifier.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_dpad_up_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_swipe_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\MediaConfirmationDialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0140.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\new_badge.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamui_norwegian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_l_down_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_ltrackpad_ring.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_r_swipe.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_mouse_mid_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\joyconpair_left_sl_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_l_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_button_x_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_rb_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_p4_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_r_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_lstick_down_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_030_inv_0315.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\icon_notChatting.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_050_menu_0050.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_button_a_sm-1.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_l2_soft.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_rstick_left.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0130.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_100_target_0120.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_l_left_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_lstick_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\startup_newbp.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamui_polish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_r_touch_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_r2_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping10256_1436309088\_platform_specific\win_x64\widevinecdm.dll.sig	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping10256_1436309088\_platform_specific\win_x64\widevinecdm.dll	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping10256_1436309088\LICENSE	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping10256_1436309088\manifest.json	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping10256_1436309088\_metadata\verified_contents.json	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping10256_1436309088\manifest.fingerprint	steamwebhelper.exe
File opened for modification	C:\Windows\SystemTemp	steamwebhelper.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe

Checks processor information in registry 2 TTPs 33 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
3292	SteamSetup.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe
10160	steam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
10160	steam.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3408	firefox.exe
Token: SeDebugPrivilege	3408	firefox.exe
Token: SeDebugPrivilege	3292	SteamSetup.exe
Token: SeDebugPrivilege	3292	SteamSetup.exe
Token: SeDebugPrivilege	3292	SteamSetup.exe
Token: SeDebugPrivilege	3292	SteamSetup.exe
Token: SeDebugPrivilege	3292	SteamSetup.exe
Token: SeSecurityPrivilege	4824	steamservice.exe
Token: SeSecurityPrivilege	4824	steamservice.exe
Token: SeDebugPrivilege	3028	firefox.exe
Token: SeDebugPrivilege	3028	firefox.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	10256	steamwebhelper.exe
Token: SeShutdownPrivilege	10256	steamwebhelper.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
3028	firefox.exe
3028	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
10256	steamwebhelper.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe
3028	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3408	firefox.exe
3292	SteamSetup.exe
4824	steamservice.exe
3028	firefox.exe
10160	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 3408	1604	firefox.exe	78
PID 1604 wrote to memory of 3408	1604	firefox.exe	78
PID 1604 wrote to memory of 3408	1604	firefox.exe	78
PID 1604 wrote to memory of 3408	1604	firefox.exe	78
PID 1604 wrote to memory of 3408	1604	firefox.exe	78
PID 1604 wrote to memory of 3408	1604	firefox.exe	78
PID 1604 wrote to memory of 3408	1604	firefox.exe	78
PID 1604 wrote to memory of 3408	1604	firefox.exe	78
PID 1604 wrote to memory of 3408	1604	firefox.exe	78
PID 1604 wrote to memory of 3408	1604	firefox.exe	78
PID 1604 wrote to memory of 3408	1604	firefox.exe	78
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 2764	3408	firefox.exe	79
PID 3408 wrote to memory of 3020	3408	firefox.exe	80
PID 3408 wrote to memory of 3020	3408	firefox.exe	80
PID 3408 wrote to memory of 3020	3408	firefox.exe	80
PID 3408 wrote to memory of 3020	3408	firefox.exe	80
PID 3408 wrote to memory of 3020	3408	firefox.exe	80
PID 3408 wrote to memory of 3020	3408	firefox.exe	80
PID 3408 wrote to memory of 3020	3408	firefox.exe	80
PID 3408 wrote to memory of 3020	3408	firefox.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\about.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\about.html
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1692 -prefMapHandle 1908 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55ae262a-2bf7-48f1-a3a0-9de6b2e4d4a5} 3408 "\\.\pipe\gecko-crash-server-pipe.3408" gpu
    3⤵
    PID:2764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2396 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {384aa5f4-6c19-4a9b-bad6-b1d7b5422796} 3408 "\\.\pipe\gecko-crash-server-pipe.3408" socket
    3⤵
    - Checks processor information in registry
    PID:3020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3092 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74a46192-fcb2-4919-8994-9615158d255a} 3408 "\\.\pipe\gecko-crash-server-pipe.3408" tab
    3⤵
    PID:1744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1504 -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3624 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {baa46025-360d-4ecd-9811-351f07403f82} 3408 "\\.\pipe\gecko-crash-server-pipe.3408" tab
    3⤵
    PID:2748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4664 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4784 -prefMapHandle 4776 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {987816c6-84b0-497d-a186-6dc2883e7699} 3408 "\\.\pipe\gecko-crash-server-pipe.3408" utility
    3⤵
    - Checks processor information in registry
    PID:3200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -parentBuildID 20240401114208 -prefsHandle 5100 -prefMapHandle 5496 -prefsLen 32352 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65e9dffb-303e-4483-815d-8f9f03d5ebd6} 3408 "\\.\pipe\gecko-crash-server-pipe.3408" rdd
    3⤵
    PID:3540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 3 -isForBrowser -prefsHandle 5756 -prefMapHandle 5820 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95e9ce5c-df4f-4f0f-bdf9-29eaccc99191} 3408 "\\.\pipe\gecko-crash-server-pipe.3408" tab
    3⤵
    PID:4644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6040 -childID 4 -isForBrowser -prefsHandle 6032 -prefMapHandle 6028 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3571fe3d-2ec0-4f68-aa16-913329af518e} 3408 "\\.\pipe\gecko-crash-server-pipe.3408" tab
    3⤵
    PID:888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 6056 -prefMapHandle 5844 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {167f72fd-df7e-4e5c-94d5-7c5f4c89118d} 3408 "\\.\pipe\gecko-crash-server-pipe.3408" tab
    3⤵
    PID:1512
- - C:\Users\Admin\Downloads\SteamSetup.exe
    "C:\Users\Admin\Downloads\SteamSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3292
  - - C:\Program Files (x86)\Steam\bin\steamservice.exe
      "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4824

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
PID:1388
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:10160
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=10160" "-buildid=1733265492" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:10256
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1733265492 --initial-client-data=0x2a0,0x2a4,0x2a8,0x29c,0x294,0x7fffec9eaf00,0x7fffec9eaf0c,0x7fffec9eaf18
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:10284
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1580,i,392455125647268933,1638853915103930305,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1588 --mojo-platform-channel-handle=1568 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:10432
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2152,i,392455125647268933,1638853915103930305,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2156 --mojo-platform-channel-handle=2148 /prefetch:11
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:10572
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2732,i,392455125647268933,1638853915103930305,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2744 --mojo-platform-channel-handle=2724 /prefetch:13
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:10952
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,392455125647268933,1638853915103930305,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3096 --mojo-platform-channel-handle=3088 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:11132
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=3716,i,392455125647268933,1638853915103930305,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3720 --mojo-platform-channel-handle=3712 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:13580
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3756,i,392455125647268933,1638853915103930305,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3760 --mojo-platform-channel-handle=3772 /prefetch:10
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:14000
- - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
    .\bin\gldriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:10904
- - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
    .\bin\gldriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:11424
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
    .\bin\vulkandriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:11484
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
    .\bin\vulkandriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:11568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6528
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1816 -parentBuildID 20240401114208 -prefsHandle 1728 -prefMapHandle 1732 -prefsLen 27494 -prefMapSize 244930 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d961d95b-941b-4392-9431-7bba00b89cb1} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" gpu
    3⤵
    PID:6624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20240401114208 -prefsHandle 2184 -prefMapHandle 2180 -prefsLen 27494 -prefMapSize 244930 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28d64fba-a835-4720-be0f-18758d32ee1a} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" socket
    3⤵
    - Checks processor information in registry
    PID:3664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3108 -prefsLen 27993 -prefMapSize 244930 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ad49f1c-7e57-48f6-af94-23eb4479c429} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:4372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3100 -childID 2 -isForBrowser -prefsHandle 3604 -prefMapHandle 2476 -prefsLen 33226 -prefMapSize 244930 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc3fd57b-294d-4778-a882-a717d145e33f} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:7480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4732 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4724 -prefMapHandle 4716 -prefsLen 33280 -prefMapSize 244930 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c27735e5-d8e0-4ebe-898f-c7c575039fbf} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" utility
    3⤵
    - Checks processor information in registry
    PID:7908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5160 -childID 3 -isForBrowser -prefsHandle 5112 -prefMapHandle 5168 -prefsLen 27846 -prefMapSize 244930 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e03a2bc-64fb-4c9a-9a22-17a6c8b260e7} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:21792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 4 -isForBrowser -prefsHandle 5388 -prefMapHandle 5384 -prefsLen 27846 -prefMapSize 244930 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81b33e24-49b2-45a6-8438-a2eba43b9109} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:21920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5276 -childID 5 -isForBrowser -prefsHandle 5544 -prefMapHandle 5288 -prefsLen 27846 -prefMapSize 244930 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ecb8220-e665-41df-8bde-eeed2cfa5c1c} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:22040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5944 -childID 6 -isForBrowser -prefsHandle 5936 -prefMapHandle 5932 -prefsLen 27846 -prefMapSize 244930 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e18a586c-8f43-4d18-8318-a812c8db83ed} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:9092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5220 -childID 7 -isForBrowser -prefsHandle 5108 -prefMapHandle 5088 -prefsLen 27846 -prefMapSize 244930 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52888d6c-6aa7-4490-b964-0d9fb74e85a0} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab
    3⤵
    PID:14676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6076 -parentBuildID 20240401114208 -prefsHandle 5248 -prefMapHandle 1720 -prefsLen 33359 -prefMapSize 244930 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f932968e-f1b5-4c5b-9b9e-a5b84e35f515} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" rdd
    3⤵
    PID:15324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5188 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 5280 -prefMapHandle 2976 -prefsLen 33359 -prefMapSize 244930 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccf07ed3-2021-4871-b816-d9e97827a09a} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" utility
    3⤵
    - Checks processor information in registry
    PID:5168

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004D4
1⤵
PID:10792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:15512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.5MB

MD5
ba0ea9249da4ab8f62432617489ae5a6

SHA1
d8873c5dcb6e128c39cf0c423b502821343659a7

SHA256
ce177dc8cf42513ff819c7b8597c7be290f9e98632a34ecd868dc76003421f0d

SHA512
52958d55b03e1ddc69afc2f1a02f7813199e4b3bf114514c438ab4d10d5ca83b865ba6090550951c0a43b666c6728304009572212444a27a3f5184663f4b0b8b

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
a2ec2e91c3ef8c42e22c4887d032b333

SHA1
e2c738a2e9400535b74e2263c7e7d1ecefe575f2

SHA256
8f9f970835f133258a7f740126012439385bbaa5a1d6a9d0d967a390977441c3

SHA512
b069d241efb19e09ec8b5e60ef6c43e00d5cc0f774b9340127c2180356dd1964ac625c1afdfaee5f99e72b26f56046fc329aadbbc365b403af765a55e9c9aab3

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
17KB

MD5
6351d565db5f7653631befb9261d43e8

SHA1
aab47854388746bc8e9844185367e519dc61d703

SHA256
10b0a8fbc4dc4d6963240f15314254391326b508fd65e318191b84d521cc99b2

SHA512
bed8e408b57fe9078fe652747706b97043186a513a9c49dcb4011a7be883fda3c1c9421ea9e595001415c00cae595f3771d96063407b31bdfce89bb220a3087a

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
14KB

MD5
9f63d7dd7905488114a5523fd151d401

SHA1
a53eb652d96a8f034208cb228974c585f224321a

SHA256
43ac9368fa693d51351d1a1a31fdf17873ee94714197228b5b821eefa21d673e

SHA512
1ceebd69ac9929abb95f7b59fac79eeec2d646b6dcc8fa0adbfbf56a22950d64ea1e94e56d37963e5abb3689d16dfe9e7d05022609b6da86c8841082ea131f99

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
15KB

MD5
1f3536d5ca478d44253d9eb30dac5f9d

SHA1
3cd6b5d232527e500064747988fa3f86403621cc

SHA256
4c8d912850ff54d52c1b11c98184d8c0403ac1d0b475d5eeb184caba96c9f8ae

SHA512
4968b02db806ec1d6de04a3d8a0b46e76da8286213a0618d2f06e3a108dac0d1c3893eef1597d2255dc00cc9cf617c81f20bcdf395dc83d0fc50be4a48ba2523

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
18KB

MD5
a11ae0bf8e2bbed490178038bef87667

SHA1
9220e67dd21ad2d45588d8b39b57bd57a721a5d0

SHA256
36b9b2ab37a17ba5df0d2715897af4ea245d4ad55b31c792961ec5679bd72df1

SHA512
3050d9a56643598912ab5a1ffa7b131f29bb34565829ccc040bf7249a6c2cc6614c96b6ff7d46836c9a4fbadb03debf13a1f05a4f21deba101a62f33009d6c26

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf~RFe58baa0.TMP

Filesize
1KB

MD5
6e6a2b18264504cc084caa3ad0bfc6ae

SHA1
b177d719bd3c1bc547d5c97937a584b8b7d57196

SHA256
f3847b5e4a40d9cf76df35398bb555117dfe3626c00a91f2babdedb619d6ad53

SHA512
74199ff275400b451642cde0a13b56709735676959d65da11ac76dd645ab11dac5de048ff7ede0cb8adb3a3056b3ecbeb3dc7481bac3768d02051e564c74b679

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
0340d1a0bbdb8f3017d2326f4e351e0a

SHA1
90d078e9f732794db5b0ffeb781a1f2ed2966139

SHA256
0fcd7ae491b467858f2a8745c5ecdd55451399778c2119517ee686d1f264b544

SHA512
9d23e020875ed35825169a6542512ec2ffdb349472a12eb1e59ddc635e57c8fd65fa919873821e35c755aa7d027c9a62d3d0fa617340449d7b2c4cf8dd707e93

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
4c81277a127e3d65fb5065f518ffe9c2

SHA1
253264b9b56e5bac0714d5be6cade09ae74c2a3a

SHA256
76a6bd74194efd819d33802decdfddaae893069d7000e44944dda05022cfa6d9

SHA512
be077b61f3b6d56a1f4d24957deaf18d2dff699bda6569604aac4f1edb57c3cfd0abc5e2a67809f72e31a90b4aed0813536c153886da2099376964c60e56001a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
2158881817b9163bf0fd4724d549aed4

SHA1
c500f2e8f47a11129114ee4f19524aee8fecc502

SHA256
650a265dffdc5dc50200bb82d56f416a3a423eecc08c962cfd1ba2d40a1ff3f7

SHA512
f3594aad9d6c50254f690c903f078a5b7a58c33bd418abdad711ebb74cfbdb5564679593e08fb2d4378faaf4160d45e3d276ba1aa8a174ed77a5791bcac46f28

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
da6cd2483ad8a21e8356e63d036df55b

SHA1
0e808a400facec559e6fbab960a7bdfaab4c6b04

SHA256
ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

SHA512
06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
9e62fc923c65bfc3f40aaf6ec4fd1010

SHA1
8f76faff18bd64696683c2a7a04d16aac1ef7e61

SHA256
8ff0f3cbdf28102ff037b9cda90590e4b66e1e654b90f9aea2cd5364494d02b7

SHA512
c8ff15373b37e848e6239a82424569e77c82a5fc557d17e7d2ed1d0d2b2f7d026cc1e2bc98cb5ee945c02cfefb82803c23fa6a26f48ff0adcf762f94cd5dd035

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
10c429eb58b4274af6b6ef08f376d46c

SHA1
af1e049ddb9f875c609b0f9a38651fc1867b50d3

SHA256
a1f6ba57ee41e009d904905c0ce5e75a59ee6790e08542561303109e1faafa13

SHA512
d8760f61760bffd8671b727d386ae220e7e6e68829a01553cfd5eb60ef8bd1d7c1b25e7b17a6db5bd17ba6712ef44999726764459318e784843c73bc4facaf46

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
5c026fd6072a7c5cf31c75818cddedec

SHA1
341aa1df1d034e6f0a7dff88d37c9f11a716cae6

SHA256
0828572e4fa00c186dbf1d9072a6154d65cb499c6a37e338f3305f77a2fee382

SHA512
f9d28714b2a05f8d9025f1692e4d7e8baa6daf6176353f65646a38814a242ef2adededa44419edd69f10cf96ffba506dab7cb6e52111457bf69cffef12174b12

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
189ba063d1481528cbd6e0c4afc3abaa

SHA1
40bdd169fcc59928c69eea74fd7e057096b33092

SHA256
c0a7a1df442ac080668762df795c72aa322e9d415c41bd0a4c676a4dc0551695

SHA512
ce59ad9b17bab4de1254e92ce4fe7d8c8242832f62ab382e8f54199a9932cd11b5800cc33895441426373d5210cc74104e0271b721a7e26ed400b716ae4d5903

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_indonesian.txt

Filesize
4KB

MD5
1514d082b672b372cdfb8dd85c3437f1

SHA1
336a01192edb76ae6501d6974b3b6f0c05ea223a

SHA256
3b3c5c615fd82070cc951ab482d3de8cb12df0b3df59fbd11f9d3271fa2fbca4

SHA512
4d41c945ce7c94746875b0dbceb14811d4966de4e97fe047406a304162fde7e1e2a16367fc2e43978e2e5aa66749f036b4444aa2312673c2cc3af296e8b77f55

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt

Filesize
4KB

MD5
202b825d0ef72096b82db255c4e747fa

SHA1
3a3265e5bbaa1d1b774195a3858f29cea75c9e75

SHA256
3d1399f5323a3ece1b1a8b3b31f8fd7f50c3bd319ab3f1c38c6e347452c95314

SHA512
e8fc7cc09f431301d22a07b238179ee053505090e3c4db30ead061513fe7159f1fe8b80efc93f4597fe00f01087bbe0bb2231e13693d72c8def138657cb91566

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt

Filesize
4KB

MD5
7913f3f33839e3af9e10455df69866c2

SHA1
15fa957d0a6a2717027f5b35f4dbe5e0ab8ece25

SHA256
05bc1f4973c6d36002ac1b37ce46b1f941fcb4338282e0ec1ec83fb558d1a88c

SHA512
534e541757d19ee157a268bf7ea358b48015f400542fcfa49cdb547cd652926160f015fe2cf026d9c4996e56ab90ca3899dfd457997d915bf6bc9d7bb00ba804

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt

Filesize
4KB

MD5
58e0fcbee3cca4ef61b97928cfe89535

SHA1
1297e3af3ca9e4fe3cc5db78ebbfa642e8a2c57b

SHA256
c084a68b65d507eb831831aa2ab9afb9536cb99a840d248cc155ff87fad18425

SHA512
99aff0c481e34cd0e4fcbb2af471afb56d91aa11be664462b08e17ae169ca03ef77e7063b4ecd0f38ca7b2f6dc0bf2e316c7b31dffbbcfc763cd8fae27dc78d2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt

Filesize
4KB

MD5
9b0b0e82f753cc115d87c7199885ad1b

SHA1
5743a4ab58684c1f154f84895d87f000b4e98021

SHA256
0bdeee9fa28d54d384e06ea646fbcfe3f06698a31dfdc1a50703ffe83ad78d32

SHA512
b7780b82fbe705bc8e5a527c011eb685c99ef0b2eb810617b9f82b891341af95ef1c2f46dce9e458c0c4dcc3e7a0d21db6c77f03419cd1c4b521a9b72f9017df

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt

Filesize
4KB

MD5
eb8926608c5933f05a3f0090e551b15d

SHA1
a1012904d440c0e74dad336eac8793ac110f78f8

SHA256
2ed2b0d654d60e0a82b0968a91d568b775144e9d92f2b077b6da75f85ad12d04

SHA512
9113c42c38836f71ff0cc7019aff8c873845f47fbf1ab97e981cb038f4d8495b6df784402b1ee9666e8e567ae866b0284c81e6a16efb47131d5ef88569c4843a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt

Filesize
4KB

MD5
6367f43ea3780c4ee166454f5936b1a8

SHA1
027a2c24c8320458c49cd78053f586cb4d94ee6f

SHA256
f8d1972e75a320344e3c834ba0a3a6a86edb39e20ef706bda9b7965d440d1998

SHA512
31aab33e0d272cb43a8c160b3d37256716a683e5052192fd0e4d3cdaf30a10a9afa9d26d5d14ad216ee455627c32892a711d2bc137ee7a7df9a297f001a19e32

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt

Filesize
6KB

MD5
e04ad6c236b6c61fc53e2cb57ced87e8

SHA1
e9d4846b7e6cc755ee14a5d3fa45ee7d3bf425a4

SHA256
08c775efa77c2a92d369f794882e467b6e2526e61bc7aa7724f48e174524502e

SHA512
0dfb7e6d811d649103499018f3d115c542fcaba420ceb69124a4d837fe162ce514e7be2040860c5ef5f9c01c961fa6eea8730606b73ec107d87597989b6fd331

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt

Filesize
4KB

MD5
56dcf7b68f70826262a6ffaffe6b1c49

SHA1
12e4272ba0e4eabc610670cdc6941f942da1eb6a

SHA256
948cad1bb27109e008f2457248880c759d3fa98b92c5b4033b94f455cb8ac43f

SHA512
c3fd9caf0bd4c303a7cc300faada9cfe6dd752e82d67625b31f4c0c2c091596508bb477fe19f758fdf79b25b8ac3f5320a8785d2b6705b9bcc28a054a59454e2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt

Filesize
4KB

MD5
66456d2b1085446a9f2dbd9e4632754b

SHA1
8da6248b57e5c2970d853b8d21373772a34b1c28

SHA256
c4f821a4903c4e7faea2931c7fb1cf261eba06a9840c78fdca689f5c784c06c4

SHA512
196c2282ba13715709ece706c9219fe70c05dd295840082e7d901b9e5592e74b1bb556782181cdbe35bd1ab0d6197fef67258b09491fabc6f27606dbed667d49

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt

Filesize
4KB

MD5
b2248784049e1af0c690be2af13a4ef3

SHA1
aec7461fa46b7f6d00ff308aa9d19c39b934c595

SHA256
4bf6b25bf5b18e13b04db6ed2e5ed635eb844fc52baa892f530194d9471f5690

SHA512
f5cee6bba20a4d05473971f7f87a36990e88a44b2855c7655b77f48f223219978d91bcd02d320c7e6c2ec368234e1d0201be85b5626ef4909e047e416e1a066c

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt

Filesize
4KB

MD5
194a73f900a3283da4caa6c09fefcb08

SHA1
a7a8005ca77b9f5d9791cb66fcdf6579763b2abb

SHA256
5e4f2de5ee98d5d76f5d76fb925417d6668fba08e89f7240f923f3378e3e66f6

SHA512
25842535c165d48f4cf4fa7fd06818ec5585cc3719eff933f5776a842713d7adb5667c3b9b1a122a1152450e797535fc7a8e97ebdd31c14b4d4900a33ede01f3

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt

Filesize
7KB

MD5
53f7e8ac1affb04bf132c2ca818eb01e

SHA1
bffc3e111761e4dc514c6398a07ffce8555697f6

SHA256
488294b7faff720dc3ab5a72e0607761484c678b96d6bcd6aad9ee2388356a83

SHA512
c2e79c2505a6fd075df113ffce92ad42c146424ca39087601daa4ed15a2b5528d478a093921d9d8a738c7b6b963275a0693ebe526b6e2135d14ced03639d0e70

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt

Filesize
4KB

MD5
29f9a5ab4adfae371bf980b82de2cb57

SHA1
6f7ef52a09b99868dd7230f513630ffe473eddf8

SHA256
711675edb20b3cb70acf6cf75f2eea8e0d87c8ace3e11c8df362b4517427a34f

SHA512
543fe63f791250e05e8fda24fd2ceadebb4c8925e8927de49ae490895c87eed3e61a9ad50237532649f99fe3165836261de215ee3f66ffbfc6d677ddeea7732a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt

Filesize
6KB

MD5
cadd7a2f359b22580bdd6281ea23744d

SHA1
e82e790a7561d0908aee8e3b1af97823e147f88b

SHA256
3dd0edfbe68236e668fb308f92fe7c6493dbb05bfca85a48de93588f479ccc99

SHA512
53672dd13e6ccbe96f6d4a61297c595b6d6cba8de92caa51ccf8ab1d8a82eea5a425eab348f295b9ec27de0026ef849d9230f751a46e040be8863923f91b8519

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt

Filesize
4KB

MD5
f350c8747d77777f456037184af9212c

SHA1
753d8c260b852a299df76c4f215b0d2215f6a723

SHA256
15b6a564e05857a3d2fd6eec85a5a30c491a7553d15ffc025156b3665b919185

SHA512
efb86809a0b357b4fcd3ba2770c97d225d0f4d9fb7430c515e847c3dd77ee109def4bef11b650b9773c17050e618008fc03377638c1db3393ac780b5b0bc31b2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
cdf80affa24e13b3ff53dfe93796617a

SHA1
552e2fef809ad54e4a5661e6781047d387600ea2

SHA256
4354810f30f4216122ab74b5abe77ea039e57d7be88095d56b1cc7166f85d197

SHA512
454a52e46ce2522f8f5cf000b7ce5f67842d8af48acf670ff5062c40149833cd19ca7e45001f23ff60d4d3ce6b5d76d22c9576345e8b5d54bada8ca4f5376cc9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\0496E33B07BB9340090B6FF9A653DA5443DBD403

Filesize
224KB

MD5
50a9309e21c00b6f274123f11ac631b2

SHA1
e337ea5935e0646ee49bdee331f0517308cd3799

SHA256
69cfecc0f488e4a4169b7d8f6f73d5ea819fb797538de51ab92ae6098609449e

SHA512
b809d6c2c0526e613c685c1aabf618cf53d2d20652fe5cfa2f9ea24c2d8a674d9b7c50c155fcf1051adadf780eecd684e557a2c0c60b4c3c8030a5bcf3e07cf4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\387220E29FAF72CB5CF5B2DEF50720D1A40CC33F

Filesize
52KB

MD5
58bd1b3004fb17b6d8e6138c416e0e67

SHA1
e35d2c391f4910dd77f5f5d0eabfb2b94f704c5c

SHA256
d0054108d4d7dfe68d13ffb36bc182de318fd9b531eecf478dae53de66f9bbd7

SHA512
fcbb10a76b07194756a7a6ece847042e3ee256e21779666daa6af5d8dae6f4ca52a5a2176999754ffc3885a8701bd84f0c8021a0808709d367349b6f57d9758b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\586D25A03895848B0609C1B0C9097200E0CF65C6

Filesize
61KB

MD5
d30a429d654fee560f9eeecba20c968f

SHA1
0396ecbd7910a683f4f4aa32411b996a8b9ef772

SHA256
7fde4abb88be6e0d7b89b72dc0f87953126d0df7e3b8c76c3f725c565b1fde34

SHA512
c523f4e5889aebcd1ec509de2aadbe623805b704242ede2697526f263160546e7467ac0a0dcac60db25d4ea69c9646abdbec62fcd786ed0eb1615b59038b3e42

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\startupCache\scriptCache-child.bin

Filesize
469KB

MD5
4749a5e9e430e6f56e38cc488aba50e9

SHA1
1812d38efec74342d93aae5f73ebd8115b2981c7

SHA256
1d810fd340a20cffb85a86986d75ff0dab5a7b46a9ce3d9235971f7565618632

SHA512
026b01b0358983976160346deb342bc54612c0a3e242045cfcb4dbc8486860e8bf0fd9cf5e927da514d88409289008430cf3bac0e8f686ec17b133df5a19b2de

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\startupCache\scriptCache.bin

Filesize
9.2MB

MD5
e612e72a1a34c155f00e59bfd7e586ba

SHA1
b6a6e27fb5421309807b79890dd3d70efd2b3510

SHA256
bd65168cf676655c360e1fc56f263762bee56d42676ee9e812e6bd2674a51c07

SHA512
a2fc66d3d45f4dc4137257daf22aa01b3b905b08be91a6cc897d1fc3806d804adfeb5fd98d4f7aef23fee58ea766247aa83fff51567298f6e1a6ee94d29056d2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\startupCache\urlCache.bin

Filesize
3KB

MD5
d46f0e21664249f89f9a7e5be239fc62

SHA1
5ada43c68805154c019bcb6f118754540f3e1f4a

SHA256
d08a493f5d5c9358ad5194d3f8c39a21fa371338fbfe831afa707c474a002319

SHA512
3e11f1637b9e80b2c488a2a8bca75a504e7ee4a5abff544a30aef0463745947e840098eab9f9c63972084b6ac77b3309941864227af69d3dc57e4420a9348efe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
f163de3fa2cbbbaf2c0f239788a07db2

SHA1
78c0f2eed1d717673d28e7bcd9b2db2ef2623378

SHA256
fe173253a456dedc65d6ddcebac3156d3f9e8a4ae0dfe8103627934830b6631d

SHA512
9eacf3d7d3ce260af3f3a8a5cb198ae1e172660735f2d208472b856575567ba06bd697ffe8cfceae84e68c4638c34bc8395be9552020ffd9169af936cf9987b9

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
74af04622a5b087a95799db174fdef3a

SHA1
7bc55622b8bbe7c00d493a53eca9db2483d8ff9b

SHA256
07c752f7af52e634e28bc61e8ec3168ed7e5f9d3284e5f5c7c7d4a6c9056202d

SHA512
9acea2c14ab2d123e8c973b727df4cf2bbbcc43e63589c6ec52342c46c32d9e8c71380e2553091c7a60902822c146fbc4cdc887d4f3ee5dcba5c861a61c769b5

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
822B

MD5
fc092fc79aa78cf6acd060a19d87058a

SHA1
80c4780f43b968cce91e1b2aecb6dc7e2bcbde9e

SHA256
5e78f162be78f8cb055bbbb35c6228bffa8d12fa22c7edcf465ee29b69c67d43

SHA512
152e149ad6b9b4175357bca8b6811667555e1ee8f5569f1c0a85894d286f1618e90857e048bf763a895780cd25e512c82f2562dbf2976a75b394c2d2af0ee482

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
710B

MD5
d1d1951cc6924e1bba6cb0f423516f1d

SHA1
2030207cb4e6d8e829ee2f2abd364084e70ae86e

SHA256
583c266c22527b4d3d06e64f32747224ca2a0c9506928e236a0a50fbf52098b8

SHA512
2e8edec453fd16dd7fa7f283308fb20b017a919738103855b7f3f954141859c061b457e2ba7dd02b56410ebfbb782cabfc8f2ec9994635b60572e6300ee8b0fd

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json~RFe59c152.TMP

Filesize
529B

MD5
a9ba0fd49f1e6ca961d6aefdda895113

SHA1
d2bb69f0c536760958d81524c1640299feb51498

SHA256
2892f490b91e9a80d7a5b1c0cf201bf32a4b40a13e0e685500b52c0f0d0da305

SHA512
29be1f4308175fd912be5a8b53f3c603ab33f791f3284c2ef0f20c4897b401731d5f9eea4854c7aa075cd2ae8fc91be71a8bd1463b1e311bc14f2680cd5e83f9

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
300B

MD5
269bbe57c296ab1b0ecbb6177ca3e011

SHA1
516f64faf3ce90f14314f55a9b3fd66c1a9855e6

SHA256
3157865c53187518f43744442c0ead030ed670c2e84e557a5f6a55fd36b7f21d

SHA512
f391e385d36a8858d0c9c42942ae35f0bc731480faffa19639e6c5b509dd9e1c3f04a6fa109d4975e0fe95b54145d4967231089e5005d635b7b27630b7fb8b5c

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe59d4cb.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Shared Dictionary\cache\index-dir\temp-index

Filesize
48B

MD5
8cb4970f5e16a131498c3c2f44b87f69

SHA1
3ee0002aaf2d74bcc8312cbeaa9b6fb467586358

SHA256
897f045a3e11771f00a5c09d7920d3b122dd3883ea7453270ccfd6488531d29f

SHA512
0bdfb24dc49da41b36044c56f04b03da03af55daf6ea531fa576edeb1d662879e134dfff516cf8e29309dd4aab5561391ad77c062e7e466414abd0b9e8205505

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCECB.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCECB.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCECB.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCECB.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCECB.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCECB.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
f92e9cd562b201512c1f178d5b41d0fa

SHA1
b2c9e8434171f9ec2515560fd9fa75e7580a6090

SHA256
02a41c1da933630a386f030bf73c4158a8a8cde1c6ae559998fa3442c9dd4c06

SHA512
c2ecba0871772976c9c8cdaf2d352c20740f0696b553a8685854449f4f5570452195add4b1780313c29536c123c1df326155d112accb48abe85bc764b9999d1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
14KB

MD5
5ae047bcfc26b1eb18dece41086f1bc3

SHA1
5f05b1100f05685053777019e3aca49444c7019d

SHA256
9bcd9e8963fa1a58ce66c7971940d3e36a0948f978bbadc9778e4085c2267f42

SHA512
8cd7d8983b80c2e77ec54e2087fbed8a16cd720df99386f5c7aa0e6caaece277349cf506a176be463264a19eba4db46233ee93a252558710f4989d5560d44c81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
6KB

MD5
6b85f46f70a30ad95f511b7b62128760

SHA1
32efcb49983497a306f8d021c037bcb3e1bb0de3

SHA256
350011d5a301d46000d11ff2ebc2bc216ac895358143625946269dc3697434f0

SHA512
344e06393a56f8cba743fff6678aa049245e86ca64dcf0fc29a507a2f5937db03fc4d344c5d4e368ac5cedd589d86a89a087fdc7a92ea1a253fcf85b994dbfa0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
8KB

MD5
18764ec39d7fb798414d6bccab0ee8a8

SHA1
1bd493d9deca5232a1e6f98dbb6fc84e7e97ad9d

SHA256
93e82c71811d73c4a838488d5a46cd7107e412425bfca076521c4a02a90a7ecb

SHA512
b3eff03c4739014a3382f3b02f3a5984d599f45892b7a7c6c8dea6d7da8079f9d7be605b2727fa13bbf073de700849ae72afdf4dda1f02d147f2d6c7f0ba8a4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cookies.sqlite

Filesize
512KB

MD5
2613f60a0d2e635755431af08db26626

SHA1
46bfeb5634bc3640d48f92b8fc3b4b8529419f1b

SHA256
779174b184dffa7d3c0ecfb40add8528c924d3e57d896a0625723e60f700e10c

SHA512
46bd0ebe6575b19c17b6edb643e48cc1efdeb4c12ef0ce77e91126897a6ec89c4eaedcdd6d564377ecae1e41b095ece1794fa76c7761c1cb318700ac81b7cfec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cookies.sqlite-wal

Filesize
64KB

MD5
01c60df55e371a8a19026fe100d7d6ab

SHA1
84d4bb89e7e8eafe4cddaf6255ca805506db42f7

SHA256
60b15f88508fc0988d0d06f9ec5109a3dd68bccecfaf39d1dcb36973055e74f3

SHA512
05a8c229f0ffc26698f7f43b29eac2b55a91e15626570f5ab9630e0f0b81bdf23bc9e0ee415baeb2f36d7a6aafdf2b0988a0219adad403ac313805c3d22350fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
495d902d50d17028385904c6e9a5b8d2

SHA1
273293adcd869d8199eb24adaf0c917aaa23d304

SHA256
04f61c96716957eb90faf212d44a201bedce3360e68ae1524e7cfa18cde638eb

SHA512
6a4778fbe77c367b0b855e830f4e8e2fe45488408160074c4b5c48bca70e727868d9b0a3fc795680b122ee6b0abf11cb5ea1051e33b78282b6fe61cb30ee6954

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e4b5303998966687525cf658ddb167a1

SHA1
0a4d416300f8646d88c9b762ad675d031352b7ee

SHA256
129b1e0606af6de651058fd0e442e5e1a3be1ef674db9fc8022cb609aa2e3cc0

SHA512
b1b3acb049e61ac1dacd9efb4b7267f43285a9798989b27cedfb4c72b83246a586a4b02097af1498ce8981b713a8d33f53ad3d24fe8b35f42db2cc24b1413c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
d6004e1d2d859f449371f317be0517af

SHA1
84aec28ae224d96a4bee4d79203a29f88ea8cb5f

SHA256
24cf321edff8abdf23256db2acce2f541ecadd9c62791bc5ce1510bc58bf339e

SHA512
d1041be0b8bb60836fb488ed9e84a6f8b2444e284fb96dff2375a3cb3b4fae94d30b378deb6bd8bdb36c3ec977a10cd416bdf0bd9bee90392479121a5b9e2299

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
eba948a4b9d1da9de08cd743c3362479

SHA1
ecaf1077c1b86395a3154f8c53e500ecc6309613

SHA256
c600bdc6ce5f3b51129a562b1cae42b213159b3d338d6c41962eb291e0ef6027

SHA512
55469cf53775685afaceb50539d2a1bb199aa2f1f6525a75d2664134a893b01d66fc129e3674722bdff0889e521b29bdcd02e45138f3a66178d48b988918a68f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
a629d382b9795e6d4595bb9b957e52c3

SHA1
c4fd3cc68957253216d8cf80cf4056730eec999c

SHA256
4e5bc39fdcc1baccb3d6eb4b78b6be9548a686e4532c90d31df66b04ad098a7f

SHA512
217b6a902d0750d40f18707dbad86aa583c79be094da969ce1438be2733bab95d6a7e4761489650bd82e16e8960adda0bdc85895a947791e3e30439c03138595

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
bec74633fee04ac170b2e1466ddbc12e

SHA1
49558b47f6a0cde7eba53540a0ec269b3882b412

SHA256
833b2f0fdc19b53dfd78303918e8ed91a9246cf9e55d1294e3826778d17fed9d

SHA512
ac869dac3f07fa8ddd52671d5ad2dd506b2d96a848e360c2817e3d0d5e365c0f81b690b6b5c5032f4c9ab79383a92af27e254fd35310a8e22d9dafeca2816ae5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
25d71076bfa83abc9346de1d9f681a02

SHA1
2c6645b488c25895664152ab35532662d59f6583

SHA256
6348cea66e96ba13269faa05059ab8955565219f22be0398525aff1c300d4e8b

SHA512
6a5a8f1350ff96731b8b926514796f75b06bb620407dd1d09e460dc26b7bebbd19f3037435e53efe40d57a78638fb2dccb57a4e8ea4f330c2b8571f1c453ff4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\180e9012-2635-470f-8114-afec21933493

Filesize
982B

MD5
1cdc4b4f8f039d26bf059e2e274a2b2f

SHA1
5b3c67e9d43f027542ada6c350fae22a45f7c5dd

SHA256
cf3addfda4683a4e52f37f0eea2a91a5ba3a77e71ab8c10adc5f692d157487ea

SHA512
7a08dd8f60a52194153ac4eeb308a2cdb7233aa0b0aaf864f4a1167ffa952ca102d2e8e28bd82eeb113cb9a6282c6da51a88901abb375a88829f448cf3699ced

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\71d7e85d-ef73-4150-ba71-55869192b5b3

Filesize
1KB

MD5
0fe41d4129300a2fd8c335703700765c

SHA1
ff9d0423c12f47d7e5a030bf4f7fcebc8f671060

SHA256
07edfe50cf6165d7fad00d9eb5031be8e25b9a65cfc9b71bb137392aee027d00

SHA512
e1adbd1ada6c7c00274f6ec53469b58fdd13de1cc3c086f3cf55d25fe4d3a00f9fb7b3c022b52cbb144c9346072ec6d2db256fc239846a60612c46e093842747

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\c23e306b-eebb-4dd6-baed-91fbee1f3170

Filesize
24KB

MD5
006e34f485df67304ccfb763bde1b18e

SHA1
44469e9f0d1d19cb56f7b1756f2d3c6005c5d67d

SHA256
752c16eaeb0eddc1417f7d9e54e893c1faa064063cbe5ba8df91c9b92b0ce40e

SHA512
e95d32ae274e5f4571af057a7897f6ed97dc89e4cad14f0fc6fd22ba2d3583fde07a3f31489315018ee58d99d128505276cad3c2774c3b6fa5c13fda543fa45e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\d5a3036e-2fd2-4556-92ca-71eac5716875

Filesize
676B

MD5
a7106cf494d665c117c16772c484797f

SHA1
7cddd00e0dcbad2a2c4380f74103965a7981c832

SHA256
c794d39593756e1ea6d5ebc3a3323a52456bd3c75e45a13b4e1c07ae44a7192c

SHA512
6f8c2df0c1b2bebbcd8511d263e1830f015c6daa59a670ae91b44305a34967b9604ff879dcdf8c56ac958335fc450f66a0c087b1ef5468b12337bf5dbac8b2db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\e8693f19-1f02-4f0d-bf18-64768a3eaaa0

Filesize
671B

MD5
65869430e06005770eaef4b4f0ff7608

SHA1
be7cfd13ebf6decc20660a365817c88f2e42f212

SHA256
1baece8c9a86de20ce56e104078468c9a4dc831c27b001b91eba4bf719a79ee2

SHA512
a6a020bb2dd85f04d2722887b9b808e948bd24d9119f69e51c55453098fc0f77fae5ea53299e2ae761ef13fc5feba6be6cea9232594a4f3ef79f887e451755c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\extensions.json

Filesize
37KB

MD5
e069846fe6bb0c39e17b533badca9780

SHA1
f94b439361d7f85c79b9646b2f6522c7c82d67d3

SHA256
b48101726cbe7d34be31ef70c806bb7d2632a39b91d9f21cba6664bd3df2d81e

SHA512
701d090910d9d2c380fb7fe5444b9a970a3977f2963bb9a53fc51dcf77656d58e9634ed9bddd37a7fe0b5690e903198981d1d90fe1c195d79782771c95125df7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\permissions.sqlite

Filesize
96KB

MD5
631af196aa37f8ea7a20272def3facaf

SHA1
ba09f60432385d0eacfce4d3c5678497e7731326

SHA256
3517817676dbb57066f44ada5646a20136a71a0d213ce725ec05ea4f1617b9c2

SHA512
ed4b5ecbc303f24313fd752d4da1604386ad6a7b9aeb896c63b8feadd9b92c1a64e5864b567994627cd66dbd280837cd030acea65da4c46354363ac62f367e32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js

Filesize
9KB

MD5
5ecee16d01b919015009b71db3c0df50

SHA1
67d30b43fc9216c24be21f559e3a917693677301

SHA256
7364f7f5f9db5155f6957908d5e4e640f89c49b1ce369a5842d3f7c0baa1f82f

SHA512
7eb8206e72516ff6733995aa66eb4c9d3ef448d58a718cdbca516dc62fcfa0c52ddbb6acf1a36f52b235efaa2be81987b4059e1e2b77edb23ee99f7483994a9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js

Filesize
10KB

MD5
04c673de97c60c80573d59d73c627921

SHA1
61a7feab2ebbe4d0e231372aedd7ed3d3c92af9d

SHA256
4e15b48c3ef443535077f2bbd81e18fcd7577431b67eea6d5ab756fba907a705

SHA512
88901e20298da7445ad00a50eb950329763ec1c58f8018bf7b00f57d184e63cef9c7d56f5187a6745658c634ba07f482e14f42fd16aad77edede6658ac7d1a50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js

Filesize
10KB

MD5
23a15ea40fb5789fcde3606a73e33aa6

SHA1
8c6e86c6332324e1c75b2fddf8c7516d359e86b3

SHA256
75454a04ed711a3c988444243a5fea0dcda227ee0d75c9e7facee99b835dd67a

SHA512
bd570073edd186ff972402f06ffbc50c187f25e338b6172668edea8dc83deaf7b19448f8d1efd958b55752c5af9d56591e3cdda4e632a047416b713345a722a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

Filesize
10KB

MD5
291d7ddaa031632020612cfef3d29e81

SHA1
2f721d55223d9d77983c22cfc5c7ace58c16e86d

SHA256
8e006120a0e07bfde577926b3a9c7a4bb0529afd7ee5e968ea8a9e599cc98326

SHA512
953200a27582e28a7ea3c60bd37684300c09aa63c398540c4cd343e1f4f3534e7efa3bc214cff52ac0bbc817a16215c08d0f2cf7ca43d56a5ac9ea9b806db661

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

Filesize
10KB

MD5
1af449838126e68513b18b148dfe8b92

SHA1
ab6e9ef2e7b4ec7a347b3a50cbb40423bb32cadc

SHA256
712a3c47c4c585cac9943849b43f601cf91f865df3b4cd241ba3b68eeb895dd4

SHA512
a91d34e7aafceae5529d774a607c858f0a06a6423aacac921bb98640fbe144ee4ef75b92f5efb1bbe6fde4b248a5193c897a785fd5d0c90387a601b584dd7984

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
0fda6b78721854cd6cad521dd244e336

SHA1
2e12d5c90b61d97bb17a801000abf236913d9f17

SHA256
a91ac5f4a6aa948b34f437aca2d9fa200097d829e117ff112873a3b2bb8b4232

SHA512
7c71a0c7fc34c2bbffb4c74c5967a08ee92650d1029775c71d16542c3d3cc9d067d761105a16b0e30c87c3f0eacff706e623fbd73959be6a4f848a4cee9fcca4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
9504f3c32f5338b2b4eeb27dddd214d4

SHA1
244f310308c9695ca667b9ab950d6fec678c4046

SHA256
c162ac6639d2bc58988fa2d7e0c08125a49cd57ca15bbb33b9a17f7dcf8fdbfa

SHA512
0e883277e55564594b4233f57c8dc2b50a4319094ac63255c4885a6793ceed4652832f4b448b2358f314aae822c536cef78ae31fa432d1cdcceca48d5f92ed75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
f1a8dc06d2a096aeda37af883b6751c0

SHA1
28183e8e2a979c5dcd3675d9822a21c2c4c4d72d

SHA256
e03f1cc4b34ff902218371d2ed8e944d60ad6395f935bdb3922bc7f208e57804

SHA512
f3629ce3b9b2fb39f4c57ae1de0f9571d663f482958d44544a387c4740b0a0c20778b781c4ae5bcb1560c0f72294a5d18378c2ed0b83aa95976dfc283994441a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
224cfd39750ab8367b186dc0d34618e1

SHA1
d5e09856806c4946e1377c2f185f1337e37e89b2

SHA256
6fc375616ddfdfdcff4d4bb26fa54393fc8e5a5fef1ae67495c9841b21f447f3

SHA512
abdb5f42cdc5b0586a9b89113e0cc9ffc1e420b41b300d136aaeaaad94f00eafc5d7893dfdb32dab57b24f4b3bd2b6f140f9e69631f9c3c10d1e3fa23b7a7caf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
8ca9e522c8c67614c65c618030b39ee8

SHA1
f7a31a1f99131c3ebd034dcdeacf89c387bcdbdd

SHA256
516b004a6cc8715cb4234a91f12aea94374b641df054e262038f863bfc734eec

SHA512
5a638f39985dc2f71c39713475e399fd6e749c0d75e2caf59a81cc913d781f62dd229a21b24e78f017971c2f8a15fd0fabe622a7aa158dab2ccf8a3bc17c7815

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\storage.sqlite

Filesize
4KB

MD5
23605e20ec7b9c605b210ac3996e7a62

SHA1
e01d89d33f05c4e7ef9eb63d1487b297b420ac86

SHA256
1387ad3f14749464f83e64bff542db5bdb73d1ec9a6556bbf3041d943a7e3003

SHA512
63f6a0102efd24da5fd50b0fc6ff00da33baf2cf3cd2fb1596e6293aaf551ec41b2ddda9b868f606c3c7269132e282d06d3c815b75d71ed9c2e46354ce588450

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
e10478144082682af5628584e1e5c166

SHA1
60723727009055181c97bd9fb82e91b6d9e9080d

SHA256
9b4186257b52d908ef7fd05189cce8f75c9e73d0164787864875c26fb1b96ffa

SHA512
37408623c517c3d5d2812278e036907fab9f515f3931fd18e69834724e5e8b082e634672bf55286c03c73c24273a01a065321c54a6ffefab761854c3c872a933

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
8726e011be1b02fb0e4f0b5e4761e3f2

SHA1
d2329508c8be01592dea159d367a49dad4e15bce

SHA256
957f90b4eff9d1a603da6be6cf562cea90b1ca49541fdbc70a8992405e2b2fc8

SHA512
ca85868f57ddbb1ef37ab3fa1d5b2dbc8b4bc4912b82f4d3eb98aaaadf381b1de980b5823f5d75b092423eaab7b47bbcb073929383c32987abe8acb2f9d50b4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
552KB

MD5
cf2fc1f1fc1ce1eddd01aa1451178a0c

SHA1
199ef5ffbdbb6e434c52c8a51a5a0c3b0fab6b4c

SHA256
4660d12eb2dd30a5f33420da87321ae8fea61c942656f0b4d172ce22def44003

SHA512
1c0076bb502309006d0ca9450ab7716eab5a6bc194f0ce6e7d121f0b682367bd1debe3855d06cc9d65cfef21f7efc1cbef59660ce8d79acf17f7a6bf60d23ebb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\xulstore.json

Filesize
217B

MD5
4cbdfc4880bec82d84bce21747789706

SHA1
e11d96dba2f23684d3c47e915103fde230293a23

SHA256
09df9aeebf64843204519e11c0c2d42816576965866bac84aa1b0cb58945a910

SHA512
21ba56a3558b1f2e6dc2c2e6f7589d3d2d8371c924e066da961eed61b8423f520c5d1eb0aec3a00fb0032fa398d3cd3051d2f27976fbe5dc2a18777d8c71b456

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier

Filesize
102B

MD5
409b23c23645379db2cb386897bc0046

SHA1
652eb2c72f44b117d28eb541a1cad975d1fc5f89

SHA256
4388c15696b8ddbd634943ee2af9165f6a6054eda52270add788b1c247532f47

SHA512
ac8a000ff30b488ff11c0ad1e58c2a38f7c36693383f69901f78e1b07ea73de10f3f032aefee8d26e7384739168d3b7306f9f4c6c13b02fd85b9f16d6e6588d7

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping10256_1436309088\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping10256_1436309088\manifest.json

Filesize
1001B

MD5
2ff237adbc218a4934a8b361bcd3428e

SHA1
efad279269d9372dcf9c65b8527792e2e9e6ca7d

SHA256
25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827

SHA512
bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

Download Submit
memory/1388-13092-0x00000000007C0000-0x0000000000C72000-memory.dmp

Filesize
4.7MB

Download
memory/10160-13313-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13343-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13488-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13498-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13514-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13255-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13286-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13324-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13337-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13467-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13649-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13354-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13406-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13567-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13554-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10160-13544-0x000000006E880000-0x000000006FBC1000-memory.dmp

Filesize
19.3MB

Download
memory/10952-13138-0x00007FF80DE30000-0x00007FF80DE31000-memory.dmp

Filesize
4KB

Download
memory/10952-13137-0x00007FF80EF50000-0x00007FF80EF51000-memory.dmp

Filesize
4KB

Download
memory/10952-13266-0x00000180F14B0000-0x00000180F164A000-memory.dmp

Filesize
1.6MB

Download
memory/11132-13267-0x00000149340E0000-0x000001493427A000-memory.dmp

Filesize
1.6MB

Download
memory/13580-13462-0x00000200E8E70000-0x00000200E900A000-memory.dmp

Filesize
1.6MB

Download
memory/14000-13526-0x000001F111BD0000-0x000001F111BD1000-memory.dmp

Filesize
4KB

Download
memory/14000-13521-0x000001F111BD0000-0x000001F111BD1000-memory.dmp

Filesize
4KB

Download
memory/14000-13527-0x000001F111BD0000-0x000001F111BD1000-memory.dmp

Filesize
4KB

Download
memory/14000-13517-0x000001F111BD0000-0x000001F111BD1000-memory.dmp

Filesize
4KB

Download
memory/14000-13516-0x000001F111BD0000-0x000001F111BD1000-memory.dmp

Filesize
4KB

Download
memory/14000-13525-0x000001F111BD0000-0x000001F111BD1000-memory.dmp

Filesize
4KB

Download
memory/14000-13524-0x000001F111BD0000-0x000001F111BD1000-memory.dmp

Filesize
4KB

Download
memory/14000-13515-0x000001F111BD0000-0x000001F111BD1000-memory.dmp

Filesize
4KB

Download
memory/14000-13523-0x000001F111BD0000-0x000001F111BD1000-memory.dmp

Filesize
4KB

Download
memory/14000-13522-0x000001F111BD0000-0x000001F111BD1000-memory.dmp

Filesize
4KB

Download