hxxps://www[.]youtube[.]com/

Analysis

max time kernel
536s
max time network
537s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-01-2025 00:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.youtube.com/

Score

9^/10

steam defense_evasion discovery persistence phishing privilege_escalation ransomware

Malware Config

Signatures

Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 1 IoCs

flow	pid	Process
689	1512	firefox.exe

Executes dropped EXE 4 IoCs

pid	Process
3116	SteamSetup.exe
6624	steamservice.exe
5928	steam.exe
3632	steam.exe

Loads dropped DLL 10 IoCs

pid	Process
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
5928	steam.exe
3632	steam.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Detected potential entity reuse from brand STEAM. 1 IoCs

phishing steam

flow	pid	Process
666	1512	firefox.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_10DCBF5FBA834F6D834B838081993A6A.dat	utilman.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_10DCBF5FBA834F6D834B838081993A6A.dat	utilman.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_l_down.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\sr.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_110_social_0308.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\shared_arabic-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\shared_koreana-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_l4_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_lstick_up.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_ltrackpad_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7\locales\it.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_rstick_left_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\switch_controller_english.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\switch_controller_swedish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_touchpad_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_ring.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_click.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_l2_soft_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_button_home_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\subchangepasswordenterpassword.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0530.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\shared_greek-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\shared_turkish-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_color_button_triangle_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_lb.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_touch_tap_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_mouse_l_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_outlined_button_triangle_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_030_inv_0308.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0422.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0306.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_040_act_0337.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\FriendsPanelLeftBG_Over.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_r_left_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_r_click.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_ps3_gamepad_fps.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_outlined_button_a_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_xboxone_gamepad_joystick.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0050.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_100_target_0010.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_down_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\cmnd_camera_horizon_reset.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_lt_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_rtrackpad.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7\locales\he.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\genesis_a.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\friendsui_czech-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_lstick_down_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_050_menu_0303.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_rtrackpad_up_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_l_ring_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_lt_click.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_down_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_color_outlined_button_x_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_dpad_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7\locales\nb.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_controller_bpm_down.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_security_twofactor.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\osx_close_def_new.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\steam_logo.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_lstick_down.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\genesis_z.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\css\gamenotes.css_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0451.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\xbox_one_dutch.txt_	steam.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks processor information in registry 2 TTPs 31 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 35 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444014832"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000015b23f853068b428b3f3a86785aaeb1000000000200000000001066000000010000200000002fb77c8514ce8816dbffa4b10bad0ec023e7bb4ad6dfd03be7f650256d16f2a1000000000e800000000200002000000008a1cd5572703ccefa4eb1bc95f0c78b4b95fc1921077acc2fd5eead3016813f20000000e22fe05332f6c361e4d8c6f5d1899cbb93b366b6914b83be983a695e4d6d8c42400000004e769dfd16981725a9bb4d511a30c564230f185b77abb25e907357daf4bdc2bb1d22c3c985777f2bfc465426888c417b72f4a6bde235482e923b49f311a335b7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5231A201-DB80-11EF-BB31-7694D31B45CA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70eeda288d6fdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000015b23f853068b428b3f3a86785aaeb1000000000200000000001066000000010000200000008a9df727bf995c9c536fd53bf04bedd23c55af95a2bc1a435858533c1e8de051000000000e8000000002000020000000fdc6af73c556861d3409a27d04377a240cc9e2598cf87376d218661e779a5df290000000a19d7115b5fcb7a924899610c802e66f953013f2279438f3b49d5e6a31d650630f491493a2c7d4518c5af1928fd7031c7a0082747aa9792ba91e278d537c8e7b459637cdd726cbd54faa3333912df88461777c4d0759565132c330a9cddc8e37aa8c62923f558943b26fe881f47d928ecd5375c4f72e0b4f7ca600af0f8ee4a461cb254c5b1370c4373e1612f600f5aa400000006d11a9774cffade02f2bbd72e50d676c2d7c7cbc51112daf83f8820470ade4407b312184f5472774bf0ffb8b8aaaa082ac7447d0c33ed3f4a5ce2361901c5090	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\AudioOutput\\TokenEnums\\MMAudioOut\\"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\PhoneConverters\\Tokens\\English"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{7e77a82c-c80e-4a37-8161-76983e1a540c}\DeviceName = "Speakers (High Definition Audio Device)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{7e77a82c-c80e-4a37-8161-76983e1a540c}\Attributes\Vendor = "Microsoft"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{7e77a82c-c80e-4a37-8161-76983e1a540c}\ = "Speakers (High Definition Audio Device)"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{7e77a82c-c80e-4a37-8161-76983e1a540c}	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{7e77a82c-c80e-4a37-8161-76983e1a540c}\Attributes\Technology = "MMSys"	utilman.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\AppLexicons	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files\Datafile = "%1a%\\Microsoft\\Speech\\Files\\UserLexicons\\SP_10DCBF5FBA834F6D834B838081993A6A.dat"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AppLexicons	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{7e77a82c-c80e-4a37-8161-76983e1a540c}\DeviceId = "{0.0.0.00000000}.{7e77a82c-c80e-4a37-8161-76983e1a540c}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\ = "Current User Lexicon"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{7e77a82c-c80e-4a37-8161-76983e1a540c}\CLSID = "{A8C680EB-3D32-11D2-9EE7-00C04F797396}"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\Generation = "0"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\Voices\\Tokens\\MS-Anna-1033-20-DSK"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\CLSID = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\System	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{7e77a82c-c80e-4a37-8161-76983e1a540c}\Attributes	utilman.exe

Modifies registry class 43 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	steam.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3116	SteamSetup.exe
3336	utilman.exe
3336	utilman.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2304	iexplore.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1272	firefox.exe
1272	firefox.exe
1272	firefox.exe
1272	firefox.exe
1272	firefox.exe
2436	firefox.exe
2436	firefox.exe
2436	firefox.exe
2436	firefox.exe
2436	firefox.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1272	firefox.exe
1272	firefox.exe
1272	firefox.exe
1272	firefox.exe
2436	firefox.exe
2436	firefox.exe
2436	firefox.exe
2436	firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2304	iexplore.exe
2304	iexplore.exe
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe
1512	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2400	2304	iexplore.exe	31
PID 2304 wrote to memory of 2400	2304	iexplore.exe	31
PID 2304 wrote to memory of 2400	2304	iexplore.exe	31
PID 2304 wrote to memory of 2400	2304	iexplore.exe	31
PID 2132 wrote to memory of 1992	2132	chrome.exe	34
PID 2132 wrote to memory of 1992	2132	chrome.exe	34
PID 2132 wrote to memory of 1992	2132	chrome.exe	34
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1296	2132	chrome.exe	36
PID 2132 wrote to memory of 1096	2132	chrome.exe	37
PID 2132 wrote to memory of 1096	2132	chrome.exe	37
PID 2132 wrote to memory of 1096	2132	chrome.exe	37
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38
PID 2132 wrote to memory of 696	2132	chrome.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6829758,0x7fef6829768,0x7fef6829778
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:2
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2344 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2380 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:2
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3296 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1444 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3300 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1424 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3616 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2376 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2776 --field-trial-handle=1380,i,15933934531979191829,10120430875253533929,131072 /prefetch:1
  2⤵
  PID:2152

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2868
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Detected potential entity reuse from brand STEAM.
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.0.85159851\917392233" -parentBuildID 20221007134813 -prefsHandle 1244 -prefMapHandle 1236 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c4d762d-4d26-46e8-a77e-133f448602bc} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 1308 d1bb558 gpu
    3⤵
    PID:1296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.1.979388013\1919390279" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {700f2a82-8a54-4fe8-8e00-4404acee774e} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 1512 d70d58 socket
    3⤵
    - Checks processor information in registry
    PID:2596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.2.154127264\663733714" -childID 1 -isForBrowser -prefsHandle 2112 -prefMapHandle 2132 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d73bf6b6-54d4-47d1-9a07-8b9a5a5e03f2} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 2104 19c80b58 tab
    3⤵
    PID:2096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.3.1499141255\1982763647" -childID 2 -isForBrowser -prefsHandle 800 -prefMapHandle 796 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67256321-0ebb-4d92-bf62-f22a99732d8e} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 2364 de5558 tab
    3⤵
    PID:2668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.4.1775625628\1256439440" -childID 3 -isForBrowser -prefsHandle 2876 -prefMapHandle 2872 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1dd1a66-f281-4a05-9781-847c7deb4188} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 2888 d5b258 tab
    3⤵
    PID:1552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.5.1721750995\2095213069" -childID 4 -isForBrowser -prefsHandle 3852 -prefMapHandle 3832 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b376c88a-b9fa-4317-93e3-6fbbd0087f4c} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 3884 1ec0f958 tab
    3⤵
    PID:2084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.6.578023724\1619432821" -childID 5 -isForBrowser -prefsHandle 4000 -prefMapHandle 4004 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2c0f9fe-d55a-4391-8f77-b4d4bf28fad5} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 3988 1f515f58 tab
    3⤵
    PID:1712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.7.12371964\1069931696" -childID 6 -isForBrowser -prefsHandle 4180 -prefMapHandle 4184 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {723ccd8b-4025-4635-8c34-cc74f8604d69} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 4168 1f516258 tab
    3⤵
    PID:924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.8.2035831113\742163058" -childID 7 -isForBrowser -prefsHandle 4528 -prefMapHandle 4532 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdc04d5b-0842-49be-b292-d57022a6f49e} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 4548 22e7f658 tab
    3⤵
    PID:1272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.9.1238395482\1019928562" -childID 8 -isForBrowser -prefsHandle 820 -prefMapHandle 924 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {105e2de4-2264-4b02-8b5a-8a4cbf287401} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 2484 22106b58 tab
    3⤵
    PID:3132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.10.1013849063\1669936902" -childID 9 -isForBrowser -prefsHandle 4808 -prefMapHandle 4824 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1891b96-fb2f-4b57-8e8b-3334f87a81c3} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 4796 1fca9658 tab
    3⤵
    PID:4076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.11.202772773\1730455068" -childID 10 -isForBrowser -prefsHandle 1924 -prefMapHandle 1996 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae0078a2-58dd-4555-839e-7eb45a211197} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 2860 170ccf58 tab
    3⤵
    PID:3616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.12.623891148\1501048414" -childID 11 -isForBrowser -prefsHandle 8616 -prefMapHandle 8612 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4a0709c-5273-4b6f-9111-668199e5241d} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 8628 2515b558 tab
    3⤵
    PID:3628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.13.1859814316\183974869" -childID 12 -isForBrowser -prefsHandle 8472 -prefMapHandle 8468 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f406e34a-fa88-4e59-bdce-dec0498782a7} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 8360 24cbd858 tab
    3⤵
    PID:3660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.14.624091350\1451435099" -childID 13 -isForBrowser -prefsHandle 1932 -prefMapHandle 1848 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8944e01-1749-4176-a7ce-5a9a87ff112f} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 8412 24ddc958 tab
    3⤵
    PID:3708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.15.237783158\1065952423" -childID 14 -isForBrowser -prefsHandle 8128 -prefMapHandle 8124 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {557ac109-4cbf-40bb-9362-b429c1a0efc7} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 8140 24dddb58 tab
    3⤵
    PID:3856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.16.724183295\830899836" -childID 15 -isForBrowser -prefsHandle 7952 -prefMapHandle 7948 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0273c10c-cf3c-4a75-b474-edd20739e062} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 7964 25f14858 tab
    3⤵
    PID:3864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.17.1183416581\851648424" -parentBuildID 20221007134813 -prefsHandle 8088 -prefMapHandle 8084 -prefsLen 26796 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bed172e-7580-4783-80c8-f87779e9a3da} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 8100 265b0758 rdd
    3⤵
    PID:4212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.18.491384070\1724745777" -childID 16 -isForBrowser -prefsHandle 7552 -prefMapHandle 7560 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {635211a6-5ef5-4802-9a23-71d9ee52d5ae} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 7540 265a6e58 tab
    3⤵
    PID:4252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.19.1927748206\1195585153" -childID 17 -isForBrowser -prefsHandle 7424 -prefMapHandle 7420 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb41b6e7-6ed8-4cae-b1f7-b949ebc1b968} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 7436 265b2858 tab
    3⤵
    PID:4280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.20.513819389\1057061451" -childID 18 -isForBrowser -prefsHandle 7376 -prefMapHandle 7380 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7ed374a-9b20-4919-861f-188bb1a9c21f} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 7364 265af858 tab
    3⤵
    PID:4304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.21.2083759142\1096283700" -childID 19 -isForBrowser -prefsHandle 7388 -prefMapHandle 7120 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6e636d5-3d14-45c5-af2d-978820a31a1d} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 7220 264a4858 tab
    3⤵
    PID:4360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.22.821612534\1958015244" -childID 20 -isForBrowser -prefsHandle 6988 -prefMapHandle 7380 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d03cf20-af6e-492d-ba53-b6c208dbba78} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 7000 26d74258 tab
    3⤵
    PID:4464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.23.1707031351\1164303484" -childID 21 -isForBrowser -prefsHandle 6820 -prefMapHandle 6824 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d86f84e-b685-4347-9dbc-25428fc3985e} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 6808 265a5c58 tab
    3⤵
    PID:4220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.24.1752438706\976061577" -childID 22 -isForBrowser -prefsHandle 6696 -prefMapHandle 6692 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {725ad674-9914-4422-aa6c-06b3f8e66878} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 6708 278fc058 tab
    3⤵
    PID:4244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.25.159793207\804743405" -childID 23 -isForBrowser -prefsHandle 6504 -prefMapHandle 6500 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7781d048-601f-4513-9951-8d1f357805d8} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 6516 278fb458 tab
    3⤵
    PID:3324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.26.1131019386\1477591941" -childID 24 -isForBrowser -prefsHandle 3412 -prefMapHandle 6532 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b784fb9-3b0d-4396-9069-088f0d4a5022} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 3692 281d0358 tab
    3⤵
    PID:5640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.27.330695875\2051321859" -childID 25 -isForBrowser -prefsHandle 6216 -prefMapHandle 6212 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1e4086f-f0f1-406e-bf39-29a0d8d89307} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 6652 281cf458 tab
    3⤵
    PID:5648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.28.1166595666\1080281055" -childID 26 -isForBrowser -prefsHandle 5968 -prefMapHandle 5964 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9b2c261-a348-440c-a0b9-3810b59874f2} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 5980 28357d58 tab
    3⤵
    PID:5736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.29.2129741279\774547512" -childID 27 -isForBrowser -prefsHandle 6128 -prefMapHandle 8560 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83246eeb-3d77-47a5-b6c5-566581a55045} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 6008 285e7758 tab
    3⤵
    PID:6060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.30.1679772485\1466747870" -childID 28 -isForBrowser -prefsHandle 5712 -prefMapHandle 5708 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91fc35be-20cf-4013-8473-ae5cbd6363b0} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 5724 28561558 tab
    3⤵
    PID:5460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.31.208216438\439432036" -childID 29 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {383fa6b9-112f-4a91-9a3c-8bb6bd2fa60b} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 5624 28564e58 tab
    3⤵
    PID:5468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.32.1263130888\1375581481" -childID 30 -isForBrowser -prefsHandle 5440 -prefMapHandle 5436 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17aa7a84-b5fa-41ee-80f6-971d876fd212} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 5452 28562158 tab
    3⤵
    PID:5476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.33.1064898962\157212186" -childID 31 -isForBrowser -prefsHandle 6128 -prefMapHandle 5852 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f50f172f-25ab-4fd8-92ee-0db2376c3f5f} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 5656 1e314e58 tab
    3⤵
    PID:7036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.34.510314393\131374275" -childID 32 -isForBrowser -prefsHandle 7444 -prefMapHandle 7452 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0eafdc5-cf10-4780-96c1-9d35196ee555} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 6220 237cc958 tab
    3⤵
    PID:7052

C:\Users\Admin\Downloads\SteamSetup.exe
"C:\Users\Admin\Downloads\SteamSetup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3116
- C:\Program Files (x86)\Steam\bin\steamservice.exe
  "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:6624

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
PID:5928
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3392
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.0.681473489\732323238" -parentBuildID 20221007134813 -prefsHandle 1148 -prefMapHandle 1140 -prefsLen 21236 -prefMapSize 233536 -appDir "C:\Program Files\Mozilla Firefox\browser" - {458ecc37-a8be-4c03-b2cb-11e6570d8b1d} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 1212 4406e58 gpu
    3⤵
    PID:3200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.1.420718845\231288178" -parentBuildID 20221007134813 -prefsHandle 1368 -prefMapHandle 1364 -prefsLen 21281 -prefMapSize 233536 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ed4d9a7-641f-4587-bbe2-61ce40bf74a3} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 1380 edca58 socket
    3⤵
    - Checks processor information in registry
    PID:4132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.2.111606634\2082645098" -childID 1 -isForBrowser -prefsHandle 2028 -prefMapHandle 2024 -prefsLen 21742 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9febd921-1def-47a7-b1e7-a155f40bc6ef} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 2040 4461d58 tab
    3⤵
    PID:6892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.3.946707184\2019297080" -childID 2 -isForBrowser -prefsHandle 840 -prefMapHandle 2396 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6914701d-9eb1-417f-8548-7902f31c922d} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 796 e72858 tab
    3⤵
    PID:6992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.4.1951087309\1509571982" -childID 3 -isForBrowser -prefsHandle 2624 -prefMapHandle 2620 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3729da7a-68d2-48fd-b6b5-0c4694830602} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 2648 e61658 tab
    3⤵
    PID:7004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.5.2011599634\979059184" -childID 4 -isForBrowser -prefsHandle 3404 -prefMapHandle 3400 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {285a100f-444a-46ab-9934-a02685b496e5} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 3416 e30b58 tab
    3⤵
    PID:6388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.6.1241896053\1433325277" -childID 5 -isForBrowser -prefsHandle 3528 -prefMapHandle 3532 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {256b0060-7a24-40b4-a56b-99ec7c8c7538} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 3516 e68a58 tab
    3⤵
    PID:6396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.7.154393683\1761728740" -childID 6 -isForBrowser -prefsHandle 3772 -prefMapHandle 3716 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb4254a1-ceca-4fcb-8148-a27d32d27ef8} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 3760 18940e58 tab
    3⤵
    PID:6444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.8.1582614463\272912286" -childID 7 -isForBrowser -prefsHandle 3984 -prefMapHandle 3968 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48d7b7d6-a6bb-4766-a46d-b76cbf76b74a} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 4000 233ee558 tab
    3⤵
    PID:4404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.9.1145173206\952015325" -childID 8 -isForBrowser -prefsHandle 4000 -prefMapHandle 4032 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24dc5f04-f39b-4447-82ca-43b9b3ff5b29} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 4116 233f0958 tab
    3⤵
    PID:4092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.10.1256207215\1019816810" -childID 9 -isForBrowser -prefsHandle 4300 -prefMapHandle 4304 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66abc142-3b29-450b-96c5-547f048fe533} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 4292 23575e58 tab
    3⤵
    PID:6496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.11.101901646\1878181180" -childID 10 -isForBrowser -prefsHandle 3588 -prefMapHandle 2496 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e1c45e2-a1d9-4470-8332-d34f3efc62a2} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 2500 1c3c9b58 tab
    3⤵
    PID:4988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.12.1202393698\1231918181" -childID 11 -isForBrowser -prefsHandle 3768 -prefMapHandle 3764 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {122c692f-e89b-4277-94e8-6392bc7da60f} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 4284 1c3c7a58 tab
    3⤵
    PID:4968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.13.1354519733\1403895617" -childID 12 -isForBrowser -prefsHandle 4028 -prefMapHandle 3968 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e395429c-1ce7-49e0-a46c-3d55aa5c930a} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 4200 23537858 tab
    3⤵
    PID:408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.14.313085744\303908131" -childID 13 -isForBrowser -prefsHandle 4512 -prefMapHandle 4516 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc6d2602-d2f6-412b-bd62-8fa7abedfacb} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 3968 22d1f358 tab
    3⤵
    PID:3928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.15.21879853\33325199" -childID 14 -isForBrowser -prefsHandle 8652 -prefMapHandle 8656 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a678575-cdfa-4d65-9867-92240847c66c} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 8640 22bb1a58 tab
    3⤵
    PID:5752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.16.1424825467\1886703136" -childID 15 -isForBrowser -prefsHandle 8480 -prefMapHandle 8476 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec72c204-49e2-46d5-88f0-fc637d09dcea} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 8492 22bd4458 tab
    3⤵
    PID:4476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.17.722091784\830694800" -childID 16 -isForBrowser -prefsHandle 8508 -prefMapHandle 8504 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {367cbbe9-8243-423e-b87c-47f4ede2b736} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 8640 22d1d258 tab
    3⤵
    PID:3440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1272.18.1553771947\923600732" -childID 17 -isForBrowser -prefsHandle 8368 -prefMapHandle 8640 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bf902b8-bc05-4962-843d-a305a7c0e58b} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 8300 22d1ff58 tab
    3⤵
    PID:6376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3916
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.0.315754815\1462267415" -parentBuildID 20221007134813 -prefsHandle 1140 -prefMapHandle 1132 -prefsLen 21236 -prefMapSize 233536 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7acc8c6-f17e-4ad1-b89e-5878f3dac74e} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1204 107fbc58 gpu
    3⤵
    PID:372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.1.1981220671\1182133708" -parentBuildID 20221007134813 -prefsHandle 1360 -prefMapHandle 1356 -prefsLen 21281 -prefMapSize 233536 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c106612-32e0-4526-b715-b0ac08fbf1ce} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1372 f036a58 socket
    3⤵
    - Checks processor information in registry
    PID:2548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.2.789050186\339496118" -childID 1 -isForBrowser -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 21742 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {874595b5-9bf6-4677-b889-67cd19ab80f4} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2072 1255e958 tab
    3⤵
    PID:4852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.3.122784435\1209750135" -childID 2 -isForBrowser -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9af14f0-a57c-4bb9-9f05-6f5e7c372d9d} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2424 1cb59058 tab
    3⤵
    PID:4412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.4.1658420732\1705580920" -childID 3 -isForBrowser -prefsHandle 2572 -prefMapHandle 2384 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39563e72-d1b6-424c-b295-0007189595e6} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2584 1c9b3858 tab
    3⤵
    PID:4324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.5.1083298022\1948284176" -childID 4 -isForBrowser -prefsHandle 3388 -prefMapHandle 3024 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d42fc89-931a-4337-ad4e-bc43d064b872} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3404 1edab258 tab
    3⤵
    PID:6920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.6.979575933\1667230258" -childID 5 -isForBrowser -prefsHandle 3512 -prefMapHandle 3516 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73233631-5692-4744-ac01-2f0d0f8ee224} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3500 1eda8258 tab
    3⤵
    PID:6388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.7.973967061\1128159508" -childID 6 -isForBrowser -prefsHandle 3688 -prefMapHandle 3692 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0afbafd6-6c71-4530-8673-65d622a3b53a} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3676 1eda9158 tab
    3⤵
    PID:6948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.8.1268116854\1948304258" -childID 7 -isForBrowser -prefsHandle 3400 -prefMapHandle 4056 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72c8c98b-1258-4e53-a0a2-f3f798686545} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4036 22249858 tab
    3⤵
    PID:4964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.9.1168327206\907327282" -childID 8 -isForBrowser -prefsHandle 4504 -prefMapHandle 4460 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bb503d0-4678-4c39-bd34-dc76cb8b3fd5} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4456 22e5ca58 tab
    3⤵
    PID:1744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.10.332242454\1130969757" -childID 9 -isForBrowser -prefsHandle 4688 -prefMapHandle 4524 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61c8ce9e-5e12-4fdf-88a9-37be2f66a2fc} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4700 220cbe58 tab
    3⤵
    PID:2360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.11.1196088438\1861785342" -childID 10 -isForBrowser -prefsHandle 4876 -prefMapHandle 4820 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b15c6be-6332-4ae4-9b5e-0cbe804d7b5b} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4864 1a8dae58 tab
    3⤵
    PID:6176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.12.637860634\703085155" -childID 11 -isForBrowser -prefsHandle 2452 -prefMapHandle 2440 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f9d8c28-6cc2-4f15-9cd1-0e6aef89da90} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2500 1ed58858 tab
    3⤵
    PID:6068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.13.87707320\1377458829" -childID 12 -isForBrowser -prefsHandle 8768 -prefMapHandle 8772 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e80adc8-08e7-4925-b204-482e2fc96154} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2412 21b19658 tab
    3⤵
    PID:6100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.14.298771573\698573385" -childID 13 -isForBrowser -prefsHandle 8600 -prefMapHandle 8596 -prefsLen 26927 -prefMapSize 233536 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8e19bd4-ed04-4b2a-88cc-150cebbe711f} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 8612 220cdf58 tab
    3⤵
    PID:7044

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:7080

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
PID:6204
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  PID:5004
- C:\Windows\system32\utilman.exe
  utilman.exe /debug
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3336

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:6356

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:2632

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:5480

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.5MB

MD5
ba0ea9249da4ab8f62432617489ae5a6

SHA1
d8873c5dcb6e128c39cf0c423b502821343659a7

SHA256
ce177dc8cf42513ff819c7b8597c7be290f9e98632a34ecd868dc76003421f0d

SHA512
52958d55b03e1ddc69afc2f1a02f7813199e4b3bf114514c438ab4d10d5ca83b865ba6090550951c0a43b666c6728304009572212444a27a3f5184663f4b0b8b

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
0340d1a0bbdb8f3017d2326f4e351e0a

SHA1
90d078e9f732794db5b0ffeb781a1f2ed2966139

SHA256
0fcd7ae491b467858f2a8745c5ecdd55451399778c2119517ee686d1f264b544

SHA512
9d23e020875ed35825169a6542512ec2ffdb349472a12eb1e59ddc635e57c8fd65fa919873821e35c755aa7d027c9a62d3d0fa617340449d7b2c4cf8dd707e93

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
4c81277a127e3d65fb5065f518ffe9c2

SHA1
253264b9b56e5bac0714d5be6cade09ae74c2a3a

SHA256
76a6bd74194efd819d33802decdfddaae893069d7000e44944dda05022cfa6d9

SHA512
be077b61f3b6d56a1f4d24957deaf18d2dff699bda6569604aac4f1edb57c3cfd0abc5e2a67809f72e31a90b4aed0813536c153886da2099376964c60e56001a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
2158881817b9163bf0fd4724d549aed4

SHA1
c500f2e8f47a11129114ee4f19524aee8fecc502

SHA256
650a265dffdc5dc50200bb82d56f416a3a423eecc08c962cfd1ba2d40a1ff3f7

SHA512
f3594aad9d6c50254f690c903f078a5b7a58c33bd418abdad711ebb74cfbdb5564679593e08fb2d4378faaf4160d45e3d276ba1aa8a174ed77a5791bcac46f28

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
da6cd2483ad8a21e8356e63d036df55b

SHA1
0e808a400facec559e6fbab960a7bdfaab4c6b04

SHA256
ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

SHA512
06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
9e62fc923c65bfc3f40aaf6ec4fd1010

SHA1
8f76faff18bd64696683c2a7a04d16aac1ef7e61

SHA256
8ff0f3cbdf28102ff037b9cda90590e4b66e1e654b90f9aea2cd5364494d02b7

SHA512
c8ff15373b37e848e6239a82424569e77c82a5fc557d17e7d2ed1d0d2b2f7d026cc1e2bc98cb5ee945c02cfefb82803c23fa6a26f48ff0adcf762f94cd5dd035

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
10c429eb58b4274af6b6ef08f376d46c

SHA1
af1e049ddb9f875c609b0f9a38651fc1867b50d3

SHA256
a1f6ba57ee41e009d904905c0ce5e75a59ee6790e08542561303109e1faafa13

SHA512
d8760f61760bffd8671b727d386ae220e7e6e68829a01553cfd5eb60ef8bd1d7c1b25e7b17a6db5bd17ba6712ef44999726764459318e784843c73bc4facaf46

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
5c026fd6072a7c5cf31c75818cddedec

SHA1
341aa1df1d034e6f0a7dff88d37c9f11a716cae6

SHA256
0828572e4fa00c186dbf1d9072a6154d65cb499c6a37e338f3305f77a2fee382

SHA512
f9d28714b2a05f8d9025f1692e4d7e8baa6daf6176353f65646a38814a242ef2adededa44419edd69f10cf96ffba506dab7cb6e52111457bf69cffef12174b12

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
189ba063d1481528cbd6e0c4afc3abaa

SHA1
40bdd169fcc59928c69eea74fd7e057096b33092

SHA256
c0a7a1df442ac080668762df795c72aa322e9d415c41bd0a4c676a4dc0551695

SHA512
ce59ad9b17bab4de1254e92ce4fe7d8c8242832f62ab382e8f54199a9932cd11b5800cc33895441426373d5210cc74104e0271b721a7e26ed400b716ae4d5903

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_indonesian.txt

Filesize
4KB

MD5
1514d082b672b372cdfb8dd85c3437f1

SHA1
336a01192edb76ae6501d6974b3b6f0c05ea223a

SHA256
3b3c5c615fd82070cc951ab482d3de8cb12df0b3df59fbd11f9d3271fa2fbca4

SHA512
4d41c945ce7c94746875b0dbceb14811d4966de4e97fe047406a304162fde7e1e2a16367fc2e43978e2e5aa66749f036b4444aa2312673c2cc3af296e8b77f55

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt

Filesize
4KB

MD5
202b825d0ef72096b82db255c4e747fa

SHA1
3a3265e5bbaa1d1b774195a3858f29cea75c9e75

SHA256
3d1399f5323a3ece1b1a8b3b31f8fd7f50c3bd319ab3f1c38c6e347452c95314

SHA512
e8fc7cc09f431301d22a07b238179ee053505090e3c4db30ead061513fe7159f1fe8b80efc93f4597fe00f01087bbe0bb2231e13693d72c8def138657cb91566

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
56481b2d776434037387029d4fda6921

SHA1
b08d5222c550c6fb8fea8b80d76cf164a399f055

SHA256
1ba356353bb4ac767b6f1b4863591462d3f9144f810cd89477ea71c6f489ed13

SHA512
095526f6b5c062941f69d49b357415d97a341c2430d95de7b9af52d0a7a6c8dc04be697d249f6f3a4add2c2add57ec5b2580f9f78fbaa0dd0161494bb40d2bf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_96474DFDAAA4DA155B35CBB9C4E07CAC

Filesize
472B

MD5
d6206a6dfa0e82b015c3434848b243cc

SHA1
a93f30507b74a9ce01598269d9c3b0968bbae24e

SHA256
0375e9e6d3fa8a6a1ba7ea3dc936f3bdcd2972bb3beff2154a865ca6982e9f30

SHA512
cb93789f27569a77e6fb3c77cbafdab21b65f2ae97d77cc42580d47777622abf450f80df8c247b74ed22a77d5a8927229cbbc3fb67f8694d301a6cecb3aca765

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_AFD0C460FA6EFBA0BD0D581BE830FD1F

Filesize
472B

MD5
9f560f8727abe60dc3dff349897209d7

SHA1
51cc9fff789ff588d70275cba868809dfd090b1b

SHA256
222f6a34228ede3d2f836f599e06f0dfb5229d901f3d2e13612f0d6a5e8119ee

SHA512
56858d906d17520f83b31041339772d4478b8646d9e36afc7ec5bf627c0261aaafaaeed2d99cb14fe544c8ae9b36bf42de3d3b908c6166200286994fa2e27a8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_AEA082C1FAB15D440B533435EB67468D

Filesize
471B

MD5
524a2958de8d546c38b36c2f9d9108d5

SHA1
ae06536b7fb662e1e9a2369156a83115120d70d8

SHA256
51a367a398b28cea7fae34aea77984999f0b57ed16ef428bf208e80067f72050

SHA512
3e8ee4263cc164db28609ba6ff65d2f3b13a20a67be5c96f2aa28f7b4d6038225aac0d37386ca5694d39f7aa65e34831da42f5230fa2de139b471744220d5efe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
fca6e2ab1eb3b08f195540837298ee87

SHA1
d33cefeb04bb10b3c7afa784213403c7a109029e

SHA256
390c38255552d307a7594628cc9dbcd889d92b489abe831447793f1f1436d9ba

SHA512
b5dea5ac1e171b58d64eb9bbaad1420013b24c0c9b73a6adf60a78bee554a45588d1d1fc1f5342a156dd5df2f2ef88aeb423bb05696943f0ccc2ef691ac98ef2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
4dce92ebea7d54e1511de41c4f478762

SHA1
4811224a114329c9b1d13fae3655a54011e43906

SHA256
4b1f14181c44402e545ddad6d54c715d16e54f1d4322143b89c114bd95f37489

SHA512
7bd8cef566989fe8877aa3a526306ba5b4dbbd8cf1c10ad32a30300f2c3bd685a53704c027db05255a417fd7ade1188cec208a174c1933ac01e20814d510d487

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d06457d8bc6c7ebb24531cc07b3b62dc

SHA1
ea2cf65520c79fccd657c5061c1c30720d5f32c0

SHA256
1cdc594fc1bdcd7023e771e4e0c3b6a65df973933c4181a73eacdcedc7460fa6

SHA512
bde7d4d85cffcd3a2c68548243947d6bfd3deaea444bf6b06d2bcc3315848d05cea2a51d50edd4390dcd23343911cf9dc5d22721c10173bb7ba9b91fcdab4d37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_96474DFDAAA4DA155B35CBB9C4E07CAC

Filesize
398B

MD5
1d04745a6cb64c3beb78dffff26ba4ab

SHA1
2ae4c3ce9cdb0153298deb547206e2966c174016

SHA256
75c5b1bfa451d025ed7d86c2f6d8aa1543e0af3e7c429e9557670a111afaa22a

SHA512
810be67b6c1738c5c8f6cecefec091ce56020eaa208e5557c15a8c8db1d887ac4474abd0dc92a94ee3d31a7c015719a19c2c522caa15921de89b8fcad84a6b19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_AFD0C460FA6EFBA0BD0D581BE830FD1F

Filesize
398B

MD5
0841d482aa1d8a56872d62893157776b

SHA1
1bef43c6b9f8f3ffff777996e1dc96fb4bdf9479

SHA256
6f1f4940341a5cd5e3cbdcb217fd00192bcfe741938337dbde7075ae854fc632

SHA512
d8ec3f048c9ca567122cd292ee8f746c1b41a9b60f32455c71fb68ed497678011bab985a41285d413b41376861ebe3250811f8002ad0124df08ce9c810624bef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86869f8fcdc795a6e55e1919c50ef447

SHA1
f230550043e3bd287dd0275f3112abc9240beefc

SHA256
39800ad0e7496b66e4794cc524132929259af187080fd06f465fea496f666f2f

SHA512
ba81229457bb6778a73d14b4e7248f4ab6037a1e910254c2e99c3e3aa779733553df0e8f5064de2be04cb842ea3f23e5267b2e894c5ea83504c2ad37cab03f72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f62ab2d1ea9564cae18eddaeba21e0a9

SHA1
1246b831727c1a4f576ba3a1af9877296f601bd6

SHA256
8a0d31c5bdae9f5d3cbc05bd4290b4abaa72193e4af56994189f16d9e43f2ee1

SHA512
74a0fdac603343c38ca23ca31c9c96ff4493a7de6a11ae855baf85663368979cf527aec1fa697e1e5e13c98ca944d0f72a19d19b20d210ad1a0b5b9db2397ee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4133483c9db450478e455825351ae992

SHA1
5968f356b80849d9c88ee4809131821ede4eef56

SHA256
d8da55f82fef9a23b5ec0a44becc4a9e942b52434e0cad399422fbee2071fe72

SHA512
c279c47686a51d3cc4eb6e4540bde5c4a456bc0750b1ab4c509750e88c388e6593dd67fb4ef767b543541e1bfe8907a513d005ad7acf969ebbdb1c1e17c6b721

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3f7a45b0235fc5c8655c2ad21c4ccf3

SHA1
fb5578fae66430a0fd13da54b7afea2e257889af

SHA256
0a6d2027682f6610030ea16ea90b157e5974540d9d9c5ac0d8b4874257f7e8ac

SHA512
02ee185bb445ecc078b20eb682550f5a8e274ee113d21bbaf841c9dd9851a24a170475f02acea74452f9f880d27e843f2adfff58228e98814452a51b71a005a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96b3e9225ffe9e4dc767a653cdc90bc3

SHA1
5b992c33b5e87c19388b73bf7a358fc56f903acb

SHA256
0f421770f320e80bc1636cc4a9cd713918276498067b2a210384ef47ac7a118a

SHA512
39c34bafd407ce2b42f331df7f1e2f5f80b377ce3cbf87e926aee0f50e9e78b0756d0c5dc030bd354df4db90172601d152b656d3a1ec99c8c8e54e611437dcfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f380ff4f5c66d36f161041b8bb95769

SHA1
d95923ad0a172bff02ac36c503aec05d7089b625

SHA256
a81a2b97e0a8edf9ec737d7dedd715ade036a0451ac6df25f6f1b8869cf9c064

SHA512
ca9c67bedd58f186dec483298c4c03e93f786332650ecac67138878225af0982ef73ddeee6bb70b56382fff49e068936316c29b1097b3b6fc63042ee21781b5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efe1efba59984aabe0014d11a9e049f6

SHA1
251f07476f90f6ba4c18a05e9f6489da35cc2c92

SHA256
49bbaee49f8687cb54d90a0f1718acda020be31d1fcffc8a0f5539dff35d288b

SHA512
64ab508566ed7dd8331d4c1f1c9772158a70f75f3597fb974470f449f6f7914b215487e7335d726e35559fb41a6a370b8e0d8103ea977a2532017bf55b0bce23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2737d966b8d0b73449faee1f320011a6

SHA1
e367eb3fedc16d5f496e2bfb75c7ebd12e0f5344

SHA256
5845f70ca7cd3e444e0710d84eb8378ea31f1192f025006365d1ab7cdca9ac71

SHA512
df7f1f8f30de455d92e30a6365e176b72791e1cb09c81514211ff517df1f9a39072e9607909b2d9fa9c5ce3b090d4a14eb3e20383a8f92d9e06be28ff8bdd09b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4afa93c6aede6d5cd58733d5a9d57cb5

SHA1
dcb546668a1176f4d95549ddc2af0ebbcba746de

SHA256
6f8df66af491b828655ac9ae46c7e3d3cf957d9fac9ac3af9cb5dac0cd84ec4c

SHA512
151563959baf56565b4d7806eace6ae8da9b79c985dfe8d08d6a92ad9d68fed56d32e9553c97828907c5a95e05ced311e5031986eb6fc5e36e207b0ef689076e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7523344b0d957a18f49baae6dfa18479

SHA1
25e5559a7c3fe2ec1c117c405a34168e3dcddf90

SHA256
8f43b11200aced1ff72edd1c418faf24c0cb6486ebd0fe905daaf0a7f94c854e

SHA512
93ece8c8d4865bf49e56620aa77db191a1b04a56397d9836055271582b34d29cf7920056640d1358bc2a6262dee18c949bde4f71ba32dc74e12bb23165f345e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4cd13d39aa14e01779e6e1a5b7662bf

SHA1
e75719337a277055ad34ea4fed6dc213cbbd2ed9

SHA256
a0147e0f05bd1ec4d5e4c53615c2f4945a9d532c3b8dd73bb3c6b87953275038

SHA512
97c2765eeca8d53f0d90c3302faf1f8a770094c47c96299973cc771018318dab0ec83f98d312115862939d92f8d2bb0c881e42ef37116034c873431f7004ef09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9494cbcc57126498e61e2bbeb814232

SHA1
7548fb96b8ea1198a2f9b24775db6a593d1312fd

SHA256
fd216f064b3a7f8749ed28cd80cbff0aff79aedcda4eff5f5f11f1812c63cd51

SHA512
0f412ac5e324214b0f51fdda42a53a857443570c0a4f216b0ac7862c68204947d92db83d2253d5d3230c50d86279b6063cd569440cd38c9aaca1087db8cf1ea6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a218931c3d838a628d42f59d009c18d6

SHA1
8a556d51bafd2121865a8fba52026f9716ddfa99

SHA256
e8e9c4d0d8f4e42467779167b6321e6d37fc17bed056bdb2e0eaf4546117ff98

SHA512
add75d711607675ba9a3a043819766ca2c089b721ac7030c67cf76e731ccaddccaedb7739faa27eac2314daa1e6cdfb372ddda18fffbd987924c9b38a0793f0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dea645ee352a695a144a4e832ebc8b3

SHA1
1967c0fc24859c04d4b3d791ba3945232b719d4a

SHA256
1e5daf71e0d2f75d5f276e15f43399aa6f74159791abc7588e59fe29a673704a

SHA512
285386e15c18df9b44bae5c20720afc142b112d9153663bbf5ff3d4412f923927c636706b55232eb02eb3fd75ad6cf4155764584360a2f83f4cdf52ae6772c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b28b1e37faa8f3cabb3e1cd9b58e9cb2

SHA1
d28856e312d407ec16d42163e627b2059dfcefb9

SHA256
751bedf38d674e4eb2870f73ace87b72691bf638a2e59efd937b0daa7fc25129

SHA512
c38690a27b2e11281cecbcb336dd83dec096b09ebba43c97af94af864fbb1787872f771ca4b0d376f9e7948ec3a0ce15624f37cd445df9ea39ed882099a203cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc9340c75b5b7a800fd79ad675bdb161

SHA1
a13b40cc4f53813786b7790b5b8145008c2de702

SHA256
4654b06ff1a1b7844692a1174300288110ad857c5c958b2f5d70483a4f359d9e

SHA512
a07e19ebdaa99deca6325a777defcd60a186aa772199cd225addd93d35ce1301b8f57b968ea646ce75dce739eaa24782e11882c10d2deb12d7a7aecd4fac6601

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
121c95c544b51c4380442df71e4ccdf4

SHA1
2faf2c061f5cdaa196b4af9d69f403d68f5a4f56

SHA256
8079cde1be61c3eed2ea00995e281ee9b82bbfb51366a2a7973730f92e29d965

SHA512
aeb882fc37b67f8e0f0d382fb4b1ef54f36c20b128ac23896cc63c3d6b661e8c75c01f6306705cb067bf946f8b6a6690332366a7ea83a2dd8824f32480e2ff98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
292a121f64b740fb5bdafcbffe92c22a

SHA1
f068bcf940b5e98e3e9bb2ea2fda5521b5fe67b8

SHA256
1e4c2ba1d33e0e58ef7ecfd61a28ab9d7d0e043a2f30c29f77ec7060cfbdfa60

SHA512
98d32ddf0ca276a6ad69f11ec8cddc9445b200f3a0e0f4e32a1a131f691fa6ed4b405e666cb1fe27b27cd358a76a514dca51beaad6ed004a589a28fe2870693f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41bd5e2c0aac33c566d9971f281c2a4b

SHA1
10e83d775576fa912fd19bda9947649d7869ada0

SHA256
82a1cfd91702de1b7e9f1fa45505640f4d01acb9e508b88cc1fe9798c139c05f

SHA512
3c2687461bc539564d7e2591b581d88dd74d3378d1b7c8e9ca901c7d0251bb6ecf887efcef58ceb8489b32d5e8de20c2fcbc3a21b460eafb33bb142d173600d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_AEA082C1FAB15D440B533435EB67468D

Filesize
402B

MD5
e9fbe2f2425442c43baaf9fb4e63aab9

SHA1
6de5d9d6798505a0136aefef4b3e5311202db496

SHA256
929a4d588a21fe4eb10c5481d3feb590761b81b4dba03286da31ef8c3b03a160

SHA512
e3f3e4b77f755fb970a8da71ea58c9b2eb1a1b0caa0e5ed7b0e48c47f0368a28c7eea0ff57d0c7f04dd83af2a68e47b679adeb03ad9c0623da32890c277d6f8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
596d0bf9c5dd6f8a3225e08065ec73ca

SHA1
dd44766343c8eef8cda5b34bb6e638cc67db2e0b

SHA256
67fa4b5108f295ab75c6543fb7c9bd489300452229e7c07e2436dbfb924db5db

SHA512
8feb20cce152f56611082ac379313bfc1f6e7a137596296705ced2bfe73c834430402e4784da99edde401861a49deb3f83855eb5ca48f77efab31970340adf13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
7b49e7ed72d5c3ab75ea4aa12182314a

SHA1
1338fc8f099438e5465615ace45c245450f98c84

SHA256
747c584047f6a46912d5c5354b6186e04ea24cf61246a89c57077faf96679db6

SHA512
6edf4594e2b850f3ede5a68738e6482dd6e9a5312bffa61b053312aa383df787641f6747ac91fa71bb80c51ed52a0c23cc911f063cd6e322d9a1210aea64e985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
660d0ff1977fbb3cdbfb544142af0e6d

SHA1
45d2bd62d96e8a6ab1e460fa2d781a727bd0d6aa

SHA256
53290797b023d266d9420cc0275ee3751ac5b6e551cc0d820da0accbd2bed78d

SHA512
fcb2f78b35b9b42b1828bfd9dfa7a575eb4b8a8054f38a90025a66a6eb65ec2fda60ac18ab3dc1b0c2207f7e6d67ed09c7a7c8c739865c23e8c2bdee1b7ded69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
9ea14af65061c1c2ce8c9eaae44411f8

SHA1
b5fcf9f946ce69ad044d07203bb666da822971d9

SHA256
38d6c19c5c0d4ea0e2452eed51d3457cce3b705507a35f79a7ba3ced90d0b111

SHA512
64060f16affc25cf8549fa537fa4e66b2efc185af561d92d04c85779dae023bb56860a86b659d2fd924f16aee06a893bbaf4e12d372c168638b4fa6b662bef8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
46c1e4366cc502fb1ebe09d170959cee

SHA1
e5d0cf8e7e5c7d464d42ce631fd6a5fdc00cbf42

SHA256
10f11a6b2de1b7af63274f842bff819ddb9586eb4d877701c1808276007ecd16

SHA512
812348dff1006cf3b48b8fc3e540f5d7e64d4593c5e146cc2c79f039e1719174a413ff89f80d0b914e27f742ece86e99dfab9e3eb31c21034fbeeb5810b2fcfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
32b73cd0b57b3013a93394dc6d06d0f9

SHA1
2a2d9dee77eacd8e58579cd5126686d21b674509

SHA256
842491dec1c0b54da3fd25845c93d451ff339b2572aa5fc07b8d603167e53f01

SHA512
c1fcd82346eb988786f8f853ff80cd5d75cf2b4f27e11e72e69594ff7ced96a184d553e5a4b1ccbf8050e23938d79b9a84c9d6542241122a18f2f02ffff59ee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8f638ca6b8419093a628de27ffd40e7a

SHA1
7446f73cfec2887be923d12f353a71a54ae90c07

SHA256
133a94d01006c62fe7623a203ccaa08dd65eaf1271eee89f290c55ac1557f469

SHA512
45a102dd9d92a1dd0c2eb8634a709cfe6e677ae43ba6b56ab8b2dd11f4b8990117984b96842eab353621b3fbc2617b1296d5394b192c9bc2c20bee49cfdfa528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e7a47b94838724723072da3f9c4c814f

SHA1
d475f945f2ae27bcffab675a7e2e9674b90064a1

SHA256
da86e7cae1d2c791e5040553920318dd9072f6f804ed764da99be13b27c61d06

SHA512
c62f2f7943bace5ee8eedd2f3fd94ad3e3faba4124dde0c63ff3b7826d00839e69ca092ecda8c20accb807d8155a38936130d1ca15d537c5eac06ac38b2c2f52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
347KB

MD5
bfaf1208d5cdf36df4fdc7ca2eb09373

SHA1
7a8abfa5ccb35f8c092905a289ae75b4b93c7560

SHA256
abe72380ab93ddd7ccd11731c12645e929873f0f9bcfe77d9e962d8cf6a65108

SHA512
631b62b2d67aa4e657444552e1de8a00984a37fec0ca0c9eeea48420db315851e3fe82a91b123c21621ac803a1fffb5fea9856af3de5e59c6ee70cc2289c821a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d67ab6bb-7796-4e50-8744-5bec8b746af4.tmp

Filesize
347KB

MD5
4e3ce1007baa641d7fdbf3bbd1b1699a

SHA1
4df7c6bf44c6fbbb8238dbecada840030f586771

SHA256
12d142f5e9c72b767a4b5ef04ec1160f3b60d148d8894db5140994b69c7d5b6d

SHA512
9988bff34bcf3e1f181de0b92f5aa2dfd85f53728092e1bb33a22fc1830fb8757fa0100db2db89618343e2322b385901b48e55c76970156672c8c9e96250716a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bl977i7\imagestore.dat

Filesize
1KB

MD5
5cc5611e07e61697861b73ebbd2741e6

SHA1
2743475ae4cf6afc74c64852bee645a89ad7a4d5

SHA256
4e60713f8abb39800f258793bf04adcd6914523b8aa77882390e40026c5c401b

SHA512
b4a66fdd16deb8336c8cb086b92ea3e0a4464dd2cbac9b1307d2a3caa11f4acee0121ceeda3ecf31e679a632bf9743d1ccfd1808242dbfd60370365f792c1d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\favicon[1].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp

Filesize
29KB

MD5
2b376cd49ff93732dd582fb0c41b9cca

SHA1
f8352d715c46323dfba8b31a83cf2e3ee42276d6

SHA256
b455da9b10055458cfad5ae735b1b20bdc49660ce2ae7cbb26cdb31c741f6aef

SHA512
25a2fc7213365ca994292d9ec2762c76ad104b7f0d01879d57bbb60dd2ec09e60dd0205be3ad6152a86517c4643b766399ddd0ab34b0d1170cd46b85d8290012

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\1643

Filesize
13KB

MD5
ea5b7e77c720f4352fc963a0a532f543

SHA1
5dcf1cdf61164b3dc0f3ca85db27707e3125071c

SHA256
9b74b9a656ad263be822de531f72caff12ae06d9f4ef1a4cd47d7fa08f7d134f

SHA512
8925a5321f2e51d6074bc8c16735f4e46f4302358ae8c0ff000cd34f0925116ab65c6fd6aa126a59f9752eedc63941d5722744f0f8680394c01066f26a1cb974

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\0A644F36C60D19ED9660A7A8D02FD325E5DBC4E6

Filesize
49KB

MD5
d4d617c9353f1c1e3ed111f97ff4ca70

SHA1
df00c6c9989062b255fa1e5b51573327ff92a088

SHA256
ffaed3837c717dfce20ce6fe88ef7432e4c8553251804617f79ab4ede533fac3

SHA512
0e3ce0aaea576776c968dc1fc0afd6356b363410f6cdce9ee640030c563ee718e4de806c6e421da8209df4da41379637100c419dbe6396029816ccb36f3a757d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\10D7BF3E79B1D3DEC70B8C003CD563EFC8634C14

Filesize
22KB

MD5
5211a9cf412cc4bb3ef746098f9442e5

SHA1
06e42f79c01299e68162c776a321018f52f77f41

SHA256
9eae3a05ecce35a8b89314b1869f0aa9123d408a1b3b95bd17ec81ba667ea14a

SHA512
9e77bee35ae14e6298f03bc50aee726b442290faa4333a6839c81f27bda8881c871f6b09dd8ba203f619041be5a113a430513867bb5eb14f0292ef41bce1614d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\29A818845871DEE7E04AFFEFCEA681AD13A3105A

Filesize
83KB

MD5
52eeeef248459e3d787a4a338735f507

SHA1
c481cab41ad4175d5a1f690cac44d4a5c9686c31

SHA256
66453a4dd78673713ce10c95004164c7db9363b4cfd175914c9e6546f635fd5b

SHA512
5c02194d578994c65c3f3676ff698645507d5c9210f66e91e7c2fe71b9dc1960a3648c2b34b6f8ef108d233bd985a28011bcac3bda16eaf0ba0edbd91fdcb311

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\3B4CEA9488E25F120C32DAE16EB4CFD018B80FDD

Filesize
116KB

MD5
ec229807857d5355f27fa83f7f853d42

SHA1
c392640eea238d138d640924ec26a3b827b9a18f

SHA256
310d1baad98effffa5740aba9319546c84d8f635d5a64fda23d34fa59f5c4877

SHA512
fcb797d5d6f6338a0b677afc2514abc399f38b966f5427f50332a1b3c693149bfe9ef1d0ef82dc96b547f9feb0a8a9edd995581f5efe7e5fe9de31c58cecf621

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\C0041240D9AF8683185D2078F04A2ADFE9783E79

Filesize
389KB

MD5
9d82a8e389f4437709cef42a9e5225da

SHA1
d82cb99708ea0f63e7a0817b72311f71abebab58

SHA256
fae1eb069804519f112b09b9e13ead1faeabc52de38caf94484f219bbc4c85d1

SHA512
4230e5b4e794122ab8abd1478b8fa0804d0121e31b31b78aca97207a1bdd9111ce154b111bd4057e9f816a27cad120a9e2ac76becc88f03bef777efc59d2a13e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\C4AF56E8EEB4D4A9A9C98E4F8558FFA7E43EEE8D

Filesize
16KB

MD5
d62959d2a9ca4a45f4d9fc8468de037b

SHA1
d7c5db453bfdba2e2d5cd1a12e4b4c7ed323b44b

SHA256
240244d67d0f136125089952a557b0ed647c7f32f1727e459038605f4ded79cb

SHA512
d2738396ca27e1b88f43a5479950b09216cf16427143535bbc15b1c087ccea78ad1f9fb08a6b98058d41c3a10978deb76eee5484091f8273146111431927db22

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\E341BFF0045E3E4548552FF65C55A11E31024F9D

Filesize
827KB

MD5
805ae37850fae7928ae410b4c20fd48a

SHA1
3567178efec9815b28736348284f4ebcc1260bb9

SHA256
156ff2fa4a1f332635628b18365b7d05ccbe9f6d57e0a60fb64f79adad55afcd

SHA512
f4396717282c66327466464cd92cc954807e908c9bbc7d2f46bc3ac9c09c63c8f4a2cccd5ab02fe68aee8128f8d43090e764cd8f90bacd2f1e265953038b13b7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\F8A6198E8896979125D772E44CB048ECAFF1CCE0

Filesize
159KB

MD5
7d5ce41dd28723a963ebbe5c0cd99d2a

SHA1
ab77b240f7d4e4170c025d2ba3aa436b98369530

SHA256
f0657983f1fd2dca24fc52c0ac3ba2828a45688eb9c32534256e225f45c3a30d

SHA512
7f19e1e785e3ac79c33bf6bc0b3c0435010203b59217830751880ec21e97d1a1d3dbbddaa50b57abd7edf39858e5f6dc422f4f440de3e6592b5e36e15c5eab51

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFB23.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB25.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf28C7.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf28C7.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf28C7.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\crashes\store.json.mozlz4.tmp

Filesize
66B

MD5
a6338865eb252d0ef8fcf11fa9af3f0d

SHA1
cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

SHA256
078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

SHA512
d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
72dd7f59ed670c88ee55c399c86d77e5

SHA1
8e1e2c5e2076514db6298abd6191ead3b453407c

SHA256
191004957e2bd7ec5ed4d206b76314b3fed9cbaedc23c8099ff8a1e6cfbb07a3

SHA512
bcc8cfbf29e3f6735562ebf10a73f00f8305b5b0a67139db699a4560b512e6c702b5fed3858d813918b3dae74fc98fe98658b3e35d749aa9c3a52a5747842ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin

Filesize
18KB

MD5
5204a02b6155e1690740e3af5fa1f8a6

SHA1
c3ae5cb0212007f65dd21001dbcb0899079645d9

SHA256
d435474c6f3616f8e0a3c946c43579a70b262ec7338fe3b8a29133a392ea1040

SHA512
343a7aa7c212502a5b3696460c0e568776e6dbd94bf0c1967e77387acd18f2575256a0b07f8a59466c0d9e4a96317684ba52e5a89e0395a02cbac6dec5030e67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin

Filesize
18KB

MD5
6024e260de993d321c21e35d0a09907f

SHA1
5feda21d18ed78c029de0beb37d5964d476defd4

SHA256
f2ca03ce83941fefab38fabe2c0942a1401a374af8f4372d88a12d32520060dc

SHA512
ead44643108ae2db606333dbe1b206e68ffa47cc8ca17afca23c821961851c0287a21bd098fa1d1e59facc5ccf4ef65b75022bd98d2f70f3329047efa371eede

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\48890bc7-b0ea-4246-b45d-57b7137f0b81

Filesize
712B

MD5
ea98139f612f623990e35c16f1e7b737

SHA1
5c61182e5e2219adfff43ff65d819e60e4da874d

SHA256
12718daaf72b18306dcbf5688016572d51133be7deb62a656b681cd87b3075e9

SHA512
941daf86940bf17e4607c8e329ebf24f3c934ddd1af2b51f96f875e9bd56c584a27568979e6764c3e1df6e32b676184c154d4c79105b56feac5e34f97f5c5bd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\4cef8570-69c6-4fb3-a4f1-416174c71a50

Filesize
712B

MD5
4cbefedd95093e692bf8c60d754a0f1d

SHA1
15fe63b9f9539862a7603cbc2b6718021077d4ab

SHA256
b75d4686a725639d0f5812698f1510ae451a6df7c461330cd630f99e5b43cec7

SHA512
14cf0684fee7cf9558cd051526329bae2e54ad31ce3de712438521c50b8a859d8df9ea18ece7e048443c038d5f3d8650c5d89808718a7376422a9e7b58cc1643

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\5a2ee40c-fa79-4a69-a076-57b61b86d37d

Filesize
733B

MD5
51c2e2c8df1ca8de5ff80898d224a960

SHA1
0a88913cc48a2291ff219a8e9fd09411730e6a3c

SHA256
e63bc1dbbbfd5ec15ad866a7b144f694a86b43c8f9b545de636f889934b30cab

SHA512
a75a0310fbb26f3c0e259425d7a5ae4564284be81993a2e8278e7dcc26a058b05422fe1050c44fab782b38f42fa9a531388df2023994da7377d5351414a813b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\7d34f029-ab42-4bc1-8350-672a7d1ae18f

Filesize
679B

MD5
d8018b0a387bc5c487cf89a42b09870a

SHA1
20c705d0829c413925b53c5c675774a30290406d

SHA256
7b3082d25a1fd3b0003659524b8a52d727ddb84c7a06fc7e7427355ae96d4357

SHA512
db64c8d4503da27953228dfd72718006f9de53e98c316fddfe5e4a9306718aee539578a0a4f1cd50a103a8f7316e3930d6288658a727d3a9fa722b43a1215033

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\c72ed581-f86e-4ca6-a23c-0ce0efdc57c7

Filesize
1KB

MD5
55270e15170a1fb3e621f060c797cf43

SHA1
e0e86f3e188a1fca7df4e11c1c1cd6966035875f

SHA256
3e74927519c7018646042afa0949ff7b7d138d1cdb1075f93c26920e5a71cb66

SHA512
5a4ac25070de2d700c44f44514c5d9843b82138ef896dec4f35f859f62274989e467e3d498e11ed88b083517b803667b80ccc7403ec9b7b85bff64ea282fbc03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\places.sqlite

Filesize
5.0MB

MD5
c33eb7914b1f3bbb210d4c7ca7a381e8

SHA1
505d92f9af2fcb8d5157d63f42a3ee994c2a5396

SHA256
6533a50d8fbb248ede6dfa9a7f0f159b10669d90efe656bf99ff3e2d77befee9

SHA512
37f3f1a7ebeb3624dc8550d4073494b9e6190e17108b404ec87e70aff58c886bef922cad779090c2c144af21ca5d83c3821094b33f28e87ec2648ae368aa2886

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
6KB

MD5
71cddfb92b4bdc86366217f5f1c93ba7

SHA1
a8f99cc7287f6252ce7e2da92a8b4f76779ef351

SHA256
9e042adab99c6f0b33d774f5f5b19f96172d3b818ac3ab781b30941d99eb3f57

SHA512
b6f3deb888a007eb8096d258882a5e8027746611e946c9406f788427aa61d63a55e4f195e3060e9a57922c6e1ac900f188e87be845932f92ed0349babf01bbb4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
6KB

MD5
eab5857cf5a4945767ba457e4ee53253

SHA1
95ae56da49e318988705eb1cdc81b86be71ffbd4

SHA256
a9318e731e1b343930ae2522508ed36135476fc84e579e07066c850eec950e1a

SHA512
0b937cec3173fea75d2ad01b1a412fc11a7f4e167c30df4bfa61207a649ca58104927bfa61261c6baf7d1b1922d00d40c844559cf9b29eea2f53361de484c25f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
6KB

MD5
ec82ba50c25fe45df7afba007f89109d

SHA1
76d072f6473109092c83139aba9837458e9fbc1d

SHA256
f8fadc28f8ca6611353e2c6c8a5d9ef8e4703d255a563cc3dcb0f9c9f3e6ce5b

SHA512
931a10d7ff6054ccd10dc2b2b2d76732fefb6b4db1fe71544dc48351931cadf8ae41ea97cefe1e6502afabf6379971918b3d66a3306885def9084ab13222d203

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
6KB

MD5
fabc86089dd1e66c4dfa130832df6e42

SHA1
e9269f7a1c921f7109fc0deefda148682f3ebf56

SHA256
8234e7d12e2214b48860c94e158ee533571a57a5dad34bf3182c3a67ae1c6245

SHA512
b6155d8d778342f813d55bb88c00fcd3fee06f90ceb30165798941a45108fdd6d9c3e73c9aea61a6501846279e044b43b67cca39777fcf608a121a5ce6af51d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
6KB

MD5
f7b898fbbde4e9cd81866fd41054cfc2

SHA1
15320403e676e3f70f25bbfc299bd78ab4c664d7

SHA256
bd334dd6f859221091bda1e475746295255c6a0d2d4b2e2e11fdb9c0ec486d0c

SHA512
b807481d65111cf1d9846df981187dd4f631cd80afeaf8809e21dd153f76d953343f1d2a48e7d97efb415793118522320ef3168675ede9aa7e659062a0a87884

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\serviceworker.txt

Filesize
155B

MD5
3418991d680533a285650c0a9ce1d1e8

SHA1
59e842fe897f616745c7ed5b4bad87a8df388cc1

SHA256
7ec93d54dbe54a1ef99d98cdfd6133ef4a5122f8a004dc197b073e58a0366296

SHA512
2a8acd4879120e2d44d64ce37958386c26d781d92cf61218613bdf7acefcdbcda56c22dafb8852c442623dc3575aef541383486941a9ecbc7c5fe6acc4a31a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionCheckpoints.json.tmp

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionCheckpoints.json.tmp

Filesize
228B

MD5
66bdbb6de2094027600e5df8fbbf28f4

SHA1
ce033f719ebce89ac8e5c6f0c9fed58c52eca985

SHA256
df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc

SHA512
18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionCheckpoints.json.tmp

Filesize
181B

MD5
2d87ba02e79c11351c1d478b06ca9b29

SHA1
4b0fb1927ca869256e9e2e2d480c3feb8e67e6f1

SHA256
16b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524

SHA512
be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
389ee09cfa7132e0968821f267faac20

SHA1
450d85d731de8ef3b774ab565d1fbe90ff95ae76

SHA256
b5baa53b10afef15e7929091729c4fd6685c810c825242c81ecc91bade272cff

SHA512
1bf484412687d671140078815d838f332757a63fae9c30e5c139398876ec359cf7d3ef2ec61480fe456b39793f75f2900e88b65b14bb70c72a7b85db2e939a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
8750e79b709bc450f07f8ffe3549a569

SHA1
c68b5304091b06c3a2db4a498889ab36bd3d884f

SHA256
f9bf08b83281c7041d9f04d6df48779c53e04e2ec3eae9c6d2e82e9efa39e8a8

SHA512
8e695cf90a7c20f0a0e8b5aefa4a54ba0bd0090d3f79ef602dcc3369d1917129744c8d2aa61d2003673d81412481ad6da359bb23a929018c53953a72820ec3ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
77c413a5dbd6ba3e10aa630f3ed82ce3

SHA1
0467422c357c0f9ea315aea3682094de012c4eb4

SHA256
55426169c5af1e76c112aff84a984c04b846956f1844108504af1f8c70cc4810

SHA512
cc6de653fe89f601610c023f6e0320f7c76febca6339eb8cdcde116adcd2394ab8321ef5484af4210ee31be0df181d60daa915cab74c2aae0e6dd7a605878910

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
74f4181b7b4f41199c38d6f149d54d03

SHA1
255f4d3ca30e03a8197d2fa4ad70059c47434951

SHA256
9e6e4bb948d81184a69f1cff2560d56f1594cc19a270fcdc446d6253b4b782ed

SHA512
ec4cef9f8d3919c6acad4fa55abd0f612c158b84f48e6db798049791871509f9bfc2a30e2b673540f51f0947cd580b43c8b5a49248a76739f37b4fe8883fa618

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
1a286ea133c616246360459691ba6819

SHA1
0c0391c894e01dd2410091c5f972c93759217d60

SHA256
ce8055e1184b5120b2ebdc4bdd4fc622e9cf2a1caa2de6ffddda9a2c24364a8d

SHA512
33ba8424e2e5b6d948f7cb4daef2d763d169020d5d8436651cf51af1813a8db3a53faff65713e524477fa605f39a597f3f08e74a0f46b161eebdbf3ec37f4db6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
9918e1e70ce35c472a01fa313f76d7a2

SHA1
9ecb0e05e18abd41bf77ac1f51e4aa21888297b8

SHA256
e2226691981d5803286d4b426d071eacacd38c3329f2e9cdb335d5fa2f2bc300

SHA512
817473e687cac8dae360cd190f37684231b1aed5f0ddba8dd34bc080f1a0a060ea98ed58bffe908adcb42b01742ec45ddb363acfa1a013cf436503c24db621e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
51d8bb0eb8521cd8f7b43ee5413d247d

SHA1
b59ac1ab2471fc857e0c0439a1d429b20e6c95bc

SHA256
f20afcbdf2f9a064b7c80a7e5fb769f9f39e6ae1ebe4c423243a4b767849f210

SHA512
2f535ed35743e8d73bd2098e590b186be6453d53f5db1d4df7ebd83f2669618e0f217ffc890b79b16013a66976c027ce1cd8c83fa1ac1cdc41cc8da16962c2c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
50KB

MD5
b987932ea3e500c685b03a444428f066

SHA1
d973c89699260399fb7f376fe9382912b78336a5

SHA256
4e6d4afc32241c64077445acd209e81c41ee9374e25ff6f6c9cc07680bcc40d2

SHA512
f38e1e677144d48cf61302e22729f582930a9e6af5f73cd2a539b834e320b8dced9de51600bdc75bc2c48a760afd04e59854381831a756738fd075a7e25b54c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
69717086b8910b3f0fe494aeaff6e9f2

SHA1
399781db37f17d8e20a8c4d424999d4674c778cd

SHA256
d92c9cf15a627b2c0d842da1149a82026ee7beb743c795538dcb4ded1103b6f7

SHA512
cff4e4d98832b832a7235856a042bc804bdef1c7703fa517bb038079b4032e7ecea4bec9c05a1dba0fa4d4db76c34c87066b51e4418c36462f5a39e670142efe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
59e06d6d7f3701638682c6e783623fae

SHA1
2d896ce0c13f2f49a3b1bc267331722efef83319

SHA256
941c1bcd30d6015421b7f66bdc3841f7229a3c2e02745d23401d05b69668519d

SHA512
4861d9e2f0be213f5d7b13d80f0c56103be5770a59627f7f1c89da4fa08786e625d8c680a9ddd4a051424ebfdbf5f9b2fbbcdd581bf80f43dfacd48ea1b704a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
51KB

MD5
1ee34258ad03838935b1599cba274743

SHA1
996240dc6f018bb67cf34d8c8800bf9c5c6426de

SHA256
edf285446cceddd6a722cd1d19fc507a67a17d5263b99f41991d7e0f9ff221d6

SHA512
c10604826b3e787bf06f59897c35b56c1490c2f439e0abe8b0238cbc43a90ebaa3662146b5f6b7fe5a8147a8bb52929030b1809d0d26de9a1df5c3f97f26006a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
51KB

MD5
f98bb1699e40d21a06e838e2b476bf0e

SHA1
356877610bf04e26b2cfdfeae4831d5f0df8f7f2

SHA256
ae18c8e9500196e11d7cd1ad4dac72750a7ca77c89cd7b56ca730cde44239f59

SHA512
2c802d922693acfb5ffb70dfb480c9d2c80a82c976c33019e63e27d3234751e5d9e3d919620deb08b6be332fba4c51b12375d835289d3f55f0e670e568134912

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
a75fc1cde79510490ba8f5ff28b8ce8d

SHA1
c4d0e80955c88e5dd04990a562ac4a7508f4c594

SHA256
02fb6f12c34f27cb60d0c18f3b2ed5e18963e74b1b48859c7f282c02dcdb3f3a

SHA512
c3208b68e937e6f3820a95efbb005a78b76cf528f1e0acb61d9f5e1125422778a90558a922e2c32d53347c8037ca38d195faba1e4270551a9b2ccfd72bd050b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
51KB

MD5
a315e55b3a416136d30f552949f37da3

SHA1
22ed898e6b3ef177bd9eb0d6dfaec1ff4ff59378

SHA256
b432679770b5d9e9d04e6f4a25eff16d4fca2c3ffaa25969715a98fb15572bb9

SHA512
1e514fa6966c0bfc3964488095373af6cadb086d1fbfd502af6dfe2907cd6e20b2fdf4513d879244602be6dac3f4483ea724967f802f5259b115b6cb9b2789ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore.jsonlz4

Filesize
2KB

MD5
92fe2f7f6f41c055d9ae8b50ff4cbee6

SHA1
7e8e3f2947d7380cde5b0762540035d57ea4a78f

SHA256
61e956605d0bf094e6ea165b19e1b1dae3a5385362e0c5516ddead87469dad0c

SHA512
d50a232fe1550b148a1e6802004b7f772c6b1829d809a7c8c79f3d774310746f6cb07c21956dd17d4e06df6a3c1b7bf8191255e4efc5300f5d0a8e64ff9639d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore.jsonlz4

Filesize
8KB

MD5
9d52616dcadba8401a96494385a61960

SHA1
3a1dc52333897c35c204a88ac1fc5fa66ad0c19c

SHA256
808210dcf4de54d5a8b9974f344345470f903bc6e41a3718cca0388a53c1c217

SHA512
b87b2454d8d827e3d685834eac08e716def707b9adb02023e33c38a7f55a0135613b11a7519457f38d50c69dd1aa2b9ad582c5c6fa1582d6cfffb72ad3df9f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore.jsonlz4

Filesize
50KB

MD5
26b11490dc4e131124ae7651ff2a2fc6

SHA1
6f68e7a64dfb4cce319265b193e04e5224393df8

SHA256
a561768dddf93a2ba71a98c23ffad5a0b7ef870c383f092ff2a95b7c304742c7

SHA512
35b32e860cc0a17757660099a5e08907090c704d0271fd1aef204671b53188e030ed498005a9ef9b751fe4b53dc46b7608ede7b8cc55dd11db4fb4eed8ccc0e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\storage\default\https+++uk.yahoo.com\cache\morgue\7\{6568b178-0104-4413-8a99-1e3a8c37a207}.final

Filesize
11KB

MD5
b9896f77c2913d917f4f62b4d0d2f71a

SHA1
6e561abb9d3ac49a84dc518788edb19d89b6dc59

SHA256
6aa7636b6e746df9efa2930d1c11f9b20d20b86fb4451882948daf1420dc3229

SHA512
72cc7f8d9cc8dd586d5ba539cbf41b657b3ce7e5bdb799ba9a38e14199c75b2824ee3f67fc7474ce9db8a9495874815a7899fb4038e9a5e8f243a6b1f38ccb60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\storage\default\https+++uk.yahoo.com\idb\3643735545ysanhooiotNaoctiif.sqlite

Filesize
48KB

MD5
3e3f69f674ab2d29bb163b51e3de8e94

SHA1
f741d2246a9bd0ff30267e4b76efab62461ac4b3

SHA256
96879b96a1171ed8f71460a72e827a34e79302bbd618da95347e4bbcdd452325

SHA512
cf7c12d1e39f6ef9df3db613da6aa887316e0c612952649414dd9c5e23ab4944df0dd15ebe8a855c6fa5093d3ae679a9fa4eb6a77a8b495ce9ad277afc04a26e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
5699a35195c7237900a21c5c9f9d4fb8

SHA1
4b6c3f2a93c12d909e132ddef6c975132e7faa30

SHA256
db5da8b2172f90267285a998d144474bf1154c70cb0eb7530885468dd5225fba

SHA512
3baa6ae405497241c8650bf98b2526473598eeeff6e71f5d94c9d6d06b7e7f827e4bf4c7d9017e80afdc3ffbf38c5af59729c0c2f4624d90e6573a3ed64cf17f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\xulstore.json.tmp

Filesize
217B

MD5
c64c353599fd3ad2e43607fcb5b4ebf8

SHA1
d47b687df6f60fab3f0b32dd20d54258b2b645d9

SHA256
c92da016f56b7aa125d9735490a7421c525e839d1e34c130d4f73915b08c8b44

SHA512
c5e25b4206a027d28ac6aae3fd31b9dc020febe33b7036885fb94d39b7378f3bf1d7f6df9902c372de1ea9505e7f4032ffbbf394bafc1cb87ed3b20fabae7b23

Download Submit
C:\Users\Admin\Downloads\SteamSetup.DuZH4hLC.exe.part

Filesize
63KB

MD5
f39f0dda75c63d232035061c76731ae5

SHA1
7a898e60610a619f7538f47cf8ebd28c05582113

SHA256
5e7e4ddc1d338955e5be71c5be431ec968a65d950f5d9d6b242d883ffef28097

SHA512
337782d6a30a031e18f0fdaf5394b34da50bfd2c8724b35efa801ab694dac026b106b5abf6238018253502a3805110fd3a08a144de97fbfc471da4bc3faa19f9

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
\Users\Admin\AppData\Local\Temp\nsf28C7.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
\Users\Admin\AppData\Local\Temp\nsf28C7.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
\Users\Admin\AppData\Local\Temp\nsf28C7.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
memory/3116-2632-0x00000000031E0000-0x00000000031E2000-memory.dmp

Filesize
8KB

Download
memory/5928-15354-0x0000000000EB0000-0x0000000001362000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads