hxxps://drive[.]usercontent[.]google[.]com/download?id=1PE9LkbQQO3YWkl-udhirUT4ukrNTydBQ&export=download&authuser=0&confirm=t&uuid=c0800982-8e36-41d2-a785-108ef79aa9ec&at=AEz70l7W_k_DypXER0DI5l6Qw2C6%3A1743500973583

Analysis

max time kernel
499s
max time network
500s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
01/04/2025, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.usercontent.google.com/download?id=1PE9LkbQQO3YWkl-udhirUT4ukrNTydBQ&export=download&authuser=0&confirm=t&uuid=c0800982-8e36-41d2-a785-108ef79aa9ec&at=AEz70l7W_k_DypXER0DI5l6Qw2C6%3A1743500973583

Score

8^/10

steam discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
263	4576	msedge.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Executes dropped EXE 31 IoCs

pid	Process
2748	SteamSetup.exe
464	steamservice.exe
3200	Steam.exe
9692	Steam.exe
9752	steamsysinfo.exe
9820	steamwebhelper.exe
9856	steamwebhelper.exe
9992	steamwebhelper.exe
10128	steamwebhelper.exe
10440	gldriverquery64.exe
10544	steamwebhelper.exe
10640	steamwebhelper.exe
10904	gldriverquery.exe
10980	vulkandriverquery64.exe
11016	vulkandriverquery.exe
13004	steamwebhelper.exe
13900	steamwebhelper.exe
21636	steam.exe
22392	steamwebhelper.exe
23700	Steam.exe
23748	steamsysinfo.exe
19724	steamwebhelper.exe
23804	steamwebhelper.exe
19844	steamwebhelper.exe
23872	steamwebhelper.exe
23908	gldriverquery64.exe
20064	steamwebhelper.exe
20096	steamwebhelper.exe
20240	gldriverquery.exe
20292	vulkandriverquery64.exe
20320	vulkandriverquery.exe

Loads dropped DLL 64 IoCs

pid	Process
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9752	steamsysinfo.exe
9752	steamsysinfo.exe
9752	steamsysinfo.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9856	steamwebhelper.exe
9856	steamwebhelper.exe
9856	steamwebhelper.exe
9692	Steam.exe
9992	steamwebhelper.exe
9992	steamwebhelper.exe
9992	steamwebhelper.exe
9992	steamwebhelper.exe
9992	steamwebhelper.exe
9992	steamwebhelper.exe
9992	steamwebhelper.exe
9992	steamwebhelper.exe
9992	steamwebhelper.exe
9992	steamwebhelper.exe
9692	Steam.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
10128	steamwebhelper.exe
10128	steamwebhelper.exe
10128	steamwebhelper.exe
10128	steamwebhelper.exe
9692	Steam.exe
10544	steamwebhelper.exe
10544	steamwebhelper.exe
10544	steamwebhelper.exe
10544	steamwebhelper.exe
10640	steamwebhelper.exe
10640	steamwebhelper.exe
10640	steamwebhelper.exe
10640	steamwebhelper.exe
10640	steamwebhelper.exe
9692	Steam.exe
13004	steamwebhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Detected potential entity reuse from brand STEAM. 1 IoCs

phishing steam

flow	pid	Process
243	4576	msedge.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\appcache\librarycache\235720\library_hero.jpg	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_r2_soft_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_lt_soft_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_touchpad_right_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_lstick_click.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\207610\87a13ae0a2a76488792924aa8bb0dd8a7760f931.jpg	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\283290\292f00106aa46a5df60d249000652b5adb6233e2.jpg	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_rt_soft_sm.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_banned_swedish.txt.gz_	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\287100\library_hero.jpg	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamclean_german.txt_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_dpad_up.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_touchpad_left_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\220\5925343a8312ea07f234d48170963aafae4158bf\library_hero.jpg	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\httpcache\09\09fd99636567b74cdedd052d957cd256dad7f488_da39a3ee5e6b4b0d3255bfef95601890afd80709	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_070_setting_0304.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_100_target_0080.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_color_outlined_button_y_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\35480\library_hero.jpg	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_090_media_0040.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_ring_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_r_right_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\desktop_neptune.vdf_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_l_ring.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_l_touch_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\269710\logo.png	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_090_media_0010.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamclean_greek.txt_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_dpad_down_sm.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\xbox_p2_sm.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\httpcache\d0\d01185e4775dec4b7b2b88cf7b0a8805f20ce953_da39a3ee5e6b4b0d3255bfef95601890afd80709	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\steam_controller_turkish.txt_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_r1.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_lstick_touch.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_switch_joycon_right_gamepad_joystick.vdf_	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\239030\header.jpg	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0344.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_stop.tga_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_buttons_w_sm.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\layout\subpaneloptionsshadercache.layout_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\chromehtml.dll_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_l_click.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_dpad_left_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\af.pak_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0190.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_l_right.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_lstick_right_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\c19.tga_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_button_share_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\285920\logo.png	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0363.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_dpad_right.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_rt_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\httpcache\57\57ab698d31e646fc44c0146d43b61f8e2708ed0c_da39a3ee5e6b4b0d3255bfef95601890afd80709	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\50300\library_hero.jpg	Steam.exe
File created	C:\Program Files (x86)\Steam\appcache\httpcache\cf\cf25ce389fbf31d67e7302677e193e9de9ec20c9_da39a3ee5e6b4b0d3255bfef95601890afd80709	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_080_input_0190.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0416.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\osx_close_hov_new.tga_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steambootstrapper_italian.txt_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam.exe_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0524.png_	Steam.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\de\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\kk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\ko\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-de-ch-1901.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-pt.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\offscreendocument.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\hu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\ar\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\ur\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\ne\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\hy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_2017094309\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-et.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\hr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\128.png	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1287981050\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1944570248\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1085554500\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1273583005\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-mn-cyrl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\cy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1386412917\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-pa.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-te.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\manifest.fingerprint	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\msedge_url_fetcher_4528_1914315409\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\lt\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_2103993866\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_2017094309\deny_etld1_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_2017094309\deny_full_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\pl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\bg\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\my\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\el\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_2103993866\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-fr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\ja\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\it\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1458967923\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-de-1901.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-or.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\te\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\et\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\kn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\zu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\id\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_2017094309\deny_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1944570248\edge_autofill_global_block_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-bn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\th\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\sl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-cs.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-el.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-gl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-ka.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-lv.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-mul-ethi.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_406926818\_locales\uk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1386412917\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1386412917\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1944570248\v1FieldTypes.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamsysinfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamsysinfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133879765506938626"	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	Steam.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	Steam.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	Steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\ = "URL:steam protocol"	Steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	Steam.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\DefaultIcon\ = "Steam.exe"	Steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	Steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	Steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\Steam.exe\" -- \"%1\""	Steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	Steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	Steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink	Steam.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\DefaultIcon	Steam.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\Local Settings	VIVIDSTASIS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\DefaultIcon	Steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	Steam.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\Local Settings	VIVIDSTASIS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\DefaultIcon\ = "Steam.exe"	Steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\URL Protocol	Steam.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\Steam.exe\" -- \"%1\""	Steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2067557190-3677960511-2209622391-1000\{0719D151-1AC7-45CD-99E7-816DA4FF6DF6}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\URL Protocol	Steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\ = "URL:steamlink protocol"	Steam.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\Shell\Open\Command	Steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	Steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\steam\Shell\Open\Command	Steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	Steam.exe

Modifies system certificate store 2 TTPs 6 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Steam.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1416	msedge.exe
1416	msedge.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
2748	SteamSetup.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
23700	Steam.exe
23700	Steam.exe
23700	Steam.exe
23700	Steam.exe
23700	Steam.exe
23700	Steam.exe
23700	Steam.exe
23700	Steam.exe
23700	Steam.exe
23700	Steam.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
9692	Steam.exe
23700	Steam.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	464	steamservice.exe
Token: SeSecurityPrivilege	464	steamservice.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeShutdownPrivilege	9820	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	9820	steamwebhelper.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe
Token: SeDebugPrivilege	9692	Steam.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9692	Steam.exe
9692	Steam.exe
9692	Steam.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe
9820	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3180	OpenWith.exe
6068	OpenWith.exe
2748	SteamSetup.exe
464	steamservice.exe
9692	Steam.exe
23700	Steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4524	4528	msedge.exe	82
PID 4528 wrote to memory of 4524	4528	msedge.exe	82
PID 4528 wrote to memory of 4576	4528	msedge.exe	83
PID 4528 wrote to memory of 4576	4528	msedge.exe	83
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 2084	4528	msedge.exe	84
PID 4528 wrote to memory of 4536	4528	msedge.exe	85
PID 4528 wrote to memory of 4536	4528	msedge.exe	85
PID 4528 wrote to memory of 4536	4528	msedge.exe	85
PID 4528 wrote to memory of 4536	4528	msedge.exe	85
PID 4528 wrote to memory of 4536	4528	msedge.exe	85
PID 4528 wrote to memory of 4536	4528	msedge.exe	85
PID 4528 wrote to memory of 4536	4528	msedge.exe	85
PID 4528 wrote to memory of 4536	4528	msedge.exe	85
PID 4528 wrote to memory of 4536	4528	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.usercontent.google.com/download?id=1PE9LkbQQO3YWkl-udhirUT4ukrNTydBQ&export=download&authuser=0&confirm=t&uuid=c0800982-8e36-41d2-a785-108ef79aa9ec&at=AEz70l7W_k_DypXER0DI5l6Qw2C6%3A1743500973583
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x2b0,0x7ffd4cdcf208,0x7ffd4cdcf214,0x7ffd4cdcf220
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=1872,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Detected potential entity reuse from brand STEAM.
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2196,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=2540,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3484,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3504,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=4932,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5124,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5576,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5808,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5788,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=6500,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:8
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=6500,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:8
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=6228,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5612,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6820,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=6512,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6548 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=6564,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=7076 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=7088,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6768 /prefetch:8
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5136,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5980,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5936,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=7056,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=7084 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=3284,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6548,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5052,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=6040,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5216,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=788 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5556,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=6148,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5212,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=6976,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=3288,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=7052,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=5128,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=3552,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=5676,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=6816,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=7392 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=5412,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=7412,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=7604 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=7400,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=7496 /prefetch:8
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=7768,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=7788 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=7380,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=7388 /prefetch:8
  2⤵
  PID:5116
- C:\Users\Admin\Downloads\SteamSetup.exe
  "C:\Users\Admin\Downloads\SteamSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2748
- - C:\Program Files (x86)\Steam\bin\steamservice.exe
    "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5608,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6968 /prefetch:8
  2⤵
  PID:11436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=4008,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:20376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=7040,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:20540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=7496,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:21052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=6760,i,6291188231017423532,17541246260814552436,262144 --variations-seed-version --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:21464

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2308

C:\Users\Admin\Downloads\vividstasis april 1st be with you\vividstasis\VIVIDSTASIS.exe
"C:\Users\Admin\Downloads\vividstasis april 1st be with you\vividstasis\VIVIDSTASIS.exe"
1⤵
- Modifies registry class
PID:1280

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3180

C:\Users\Admin\Downloads\vividstasis april 1st be with you\vividstasis\VIVIDSTASIS.exe
"C:\Users\Admin\Downloads\vividstasis april 1st be with you\vividstasis\VIVIDSTASIS.exe"
1⤵
- Modifies registry class
PID:3268

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Steam\steam.exe" -silent
1⤵
PID:4384
- C:\Program Files (x86)\Steam\Steam.exe
  "C:\Program Files (x86)\Steam\steam.exe" -silent
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  PID:3200
- - C:\Program Files (x86)\Steam\Steam.exe
    "C:\Program Files (x86)\Steam\Steam.exe" -silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:9692
  - - C:\Program Files (x86)\Steam\steamsysinfo.exe
      "C:\Program Files (x86)\Steam\steamsysinfo.exe" -steamid 0 -buildid 1741737356 -logdir "C:\Program Files (x86)\Steam\logs" -query 1 -out-file C:\Users\Admin\AppData\Local\Temp\8281.tmp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:9752
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" -nocrashdialog "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=9692" "-buildid=1741737356" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\Steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SendNotifyMessage
      PID:9820
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1741737356 --initial-client-data=0x28c,0x290,0x294,0x288,0x298,0x7ffd2947af00,0x7ffd2947af0c,0x7ffd2947af18
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9856
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1741737356 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1580,i,17544505128344616659,1888637795431702046,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1584 --mojo-platform-channel-handle=1572 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9992
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1741737356 --steamid=0 --field-trial-handle=2200,i,17544505128344616659,1888637795431702046,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2204 --mojo-platform-channel-handle=2196 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:10128
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1741737356 --steamid=0 --field-trial-handle=3080,i,17544505128344616659,1888637795431702046,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3084 --mojo-platform-channel-handle=3076 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:10544
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1741737356 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3360,i,17544505128344616659,1888637795431702046,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3372 --mojo-platform-channel-handle=3316 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:10640
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1741737356 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=4048,i,17544505128344616659,1888637795431702046,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=4052 --mojo-platform-channel-handle=4044 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:13004
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1741737356 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4192,i,17544505128344616659,1888637795431702046,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=4272 --mojo-platform-channel-handle=4320 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:13900
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1741737356 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4104,i,17544505128344616659,1888637795431702046,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=4108 --mojo-platform-channel-handle=4120 /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:22392
  - - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
      .\bin\gldriverquery64.exe
      4⤵
      Executes dropped EXE
      PID:10440
  - - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
      .\bin\gldriverquery.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:10904
  - - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
      .\bin\vulkandriverquery64.exe
      4⤵
      Executes dropped EXE
      PID:10980
  - - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
      .\bin\vulkandriverquery.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:11016
  - - C:\Program Files (x86)\Steam\Steam.exe
      "C:\Program Files (x86)\Steam\Steam.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:23700
    - - C:\Program Files (x86)\Steam\steamsysinfo.exe
        
        "C:\Program Files (x86)\Steam\steamsysinfo.exe" -steamid 0 -buildid 1741737356 -logdir "C:\Program Files (x86)\Steam\logs" -query 1 -out-file C:\Users\Admin\AppData\Local\Temp\6417.tmp
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:23748
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" -nocrashdialog "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=23700" "-buildid=1741737356" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\Steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Checks processor information in registry
        
        PID:19724
      - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1741737356 --initial-client-data=0x27c,0x280,0x284,0x278,0x288,0x7ffd2947af00,0x7ffd2947af0c,0x7ffd2947af18
        6⤵
        Executes dropped EXE
        
        PID:23804
      - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1741737356 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1588,i,9624246664715543278,9946027199340048529,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1596 --mojo-platform-channel-handle=1576 /prefetch:2
        6⤵
        Executes dropped EXE
        
        PID:19844
      - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1741737356 --steamid=0 --field-trial-handle=2200,i,9624246664715543278,9946027199340048529,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2204 --mojo-platform-channel-handle=2196 /prefetch:3
        6⤵
        Executes dropped EXE
        
        PID:23872
      - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1741737356 --steamid=0 --field-trial-handle=2988,i,9624246664715543278,9946027199340048529,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2992 --mojo-platform-channel-handle=2972 /prefetch:8
        6⤵
        Executes dropped EXE
        
        PID:20064
      - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1741737356 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3388,i,9624246664715543278,9946027199340048529,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3392 --mojo-platform-channel-handle=3384 /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:20096
    - - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
        
        .\bin\gldriverquery64.exe
        5⤵
        Executes dropped EXE
        
        PID:23908
    - - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
        
        .\bin\gldriverquery.exe
        5⤵
        Executes dropped EXE
        
        PID:20240
    - - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
        
        .\bin\vulkandriverquery64.exe
        5⤵
        Executes dropped EXE
        
        PID:20292
    - - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
        
        .\bin\vulkandriverquery.exe
        5⤵
        Executes dropped EXE
        
        PID:20320

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c 0x3d4
1⤵
PID:10324

C:\Users\Admin\Downloads\vividstasis april 1st be with you\vividstasis\VIVIDSTASIS.exe
"C:\Users\Admin\Downloads\vividstasis april 1st be with you\vividstasis\VIVIDSTASIS.exe"
1⤵
PID:14196

C:\Users\Admin\Downloads\vividstasis april 1st be with you\vividstasis\VIVIDSTASIS.exe
"C:\Users\Admin\Downloads\vividstasis april 1st be with you\vividstasis\VIVIDSTASIS.exe"
1⤵
PID:17004

C:\Users\Admin\Downloads\vividstasis april 1st be with you\vividstasis\VIVIDSTASIS.exe
"C:\Users\Admin\Downloads\vividstasis april 1st be with you\vividstasis\VIVIDSTASIS.exe"
1⤵
PID:18624

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:21636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\vividstasis april 1st be with you\vividstasis\loadingtips.txt
1⤵
PID:25448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\appcache\librarycache\420\795e85364189511f4990861b578084deef086cb1.jpg

Filesize
1KB

MD5
bc8e0853c9d9fe19fab799d6e066237a

SHA1
795e85364189511f4990861b578084deef086cb1

SHA256
42cbbbaaf4d0d3cc0cfb151a9e8098a573cf98456a96c7bc9de29a8af68e4a55

SHA512
302b8cd3df3be85b128b85c5196a85751fdd2bda3bcbacf7e0002ce97302ae98296e0a6ff32cde1dcd998a3a9bc9fecd62a2c7d61bedf8c60dbc14ff9c52768e

Download Submit
C:\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.5MB

MD5
ba0ea9249da4ab8f62432617489ae5a6

SHA1
d8873c5dcb6e128c39cf0c423b502821343659a7

SHA256
ce177dc8cf42513ff819c7b8597c7be290f9e98632a34ecd868dc76003421f0d

SHA512
52958d55b03e1ddc69afc2f1a02f7813199e4b3bf114514c438ab4d10d5ca83b865ba6090550951c0a43b666c6728304009572212444a27a3f5184663f4b0b8b

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
6e6a2b18264504cc084caa3ad0bfc6ae

SHA1
b177d719bd3c1bc547d5c97937a584b8b7d57196

SHA256
f3847b5e4a40d9cf76df35398bb555117dfe3626c00a91f2babdedb619d6ad53

SHA512
74199ff275400b451642cde0a13b56709735676959d65da11ac76dd645ab11dac5de048ff7ede0cb8adb3a3056b3ecbeb3dc7481bac3768d02051e564c74b679

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
14KB

MD5
1e0cda85309e62e37c5967e16c82ad02

SHA1
a02a154706b3b0784794e9d1d3a010c26f3ef105

SHA256
479842483bd5a188c6456b4cc7d599faee7db65c81dff0ac0bf266e2bce4543a

SHA512
9dd90e0e055d4dacecf66a865d11581519e492a9c07ec5b3a19df5f96b398c5f260974301420211eb78b3ddde44c3c2674bfd51df59202229fab300abcf67e18

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
15KB

MD5
43d1526b86400b322bbb5335acd2efd0

SHA1
1135c23b339732092b5e896282bc900828e42878

SHA256
120875b80f5f52ebaa288c910786cede4aa015ada813801e2a709c955ae8c4da

SHA512
e8261ebc59d26e0afae2d69c2bf7fb02f4b70c358319e9e75b7e67ca3d5546d25e49a222a02c94473046abf2c1dedd6c5995b5050c2b09be137ce8b7bec9f66e

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
a2ec2e91c3ef8c42e22c4887d032b333

SHA1
e2c738a2e9400535b74e2263c7e7d1ecefe575f2

SHA256
8f9f970835f133258a7f740126012439385bbaa5a1d6a9d0d967a390977441c3

SHA512
b069d241efb19e09ec8b5e60ef6c43e00d5cc0f774b9340127c2180356dd1964ac625c1afdfaee5f99e72b26f56046fc329aadbbc365b403af765a55e9c9aab3

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf~RFe5d8a70.TMP

Filesize
184B

MD5
3cdebc58a05cdd75f14e64fb0d971370

SHA1
edf2d4a8a5fc017e29bf9fb218db7dd8b2be84fe

SHA256
661f122934bbc692266940a1fe2e5e51d4d460efb29d75695b8d5241c6e11da7

SHA512
289c40fae5ec1d3dd8b5b00dd93cf9cada2cb5c12bcfefea8c862ddf0a16dced15d6814dad771af9103b3a5d3016d301ee40058edde3fdea30d9767146d11cd6

Download Submit
C:\Program Files (x86)\Steam\logs\bootstrap_log.txt

Filesize
933B

MD5
7d98ac19950a7a8d0b02ca0c4df214e5

SHA1
833753f7daeb35dbf8b8b28e3c2521b2cc9cd921

SHA256
f25ef8169c7a45268acd518e1257e9d48167b5f6b98409f076c10631148227fc

SHA512
c67a32c6b23b17f73e627a765c170f4d1a260ab2c0760e4aba705b1e92e9af1b6f7fad257cbb4e687bd54c7feb326035259cd8cca3d7280db65638daf113d60d

Download Submit
C:\Program Files (x86)\Steam\logs\cef_log.txt

Filesize
3KB

MD5
7e743c2978eb440c093e829ad5a5aef4

SHA1
6d0882d7cc94556b65034f6595ad2855752ff441

SHA256
72f619a4e44e6652881752e405107365641b199545369f2586a4e5858f9d8286

SHA512
71199755b34f5db130a1390c083dabfb813e4d7b11d8c0396488a39cf0d33e896e058c56c174f67e6d7b2251e0220d31daa34ee12a82598f06474a080d9614cb

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
0340d1a0bbdb8f3017d2326f4e351e0a

SHA1
90d078e9f732794db5b0ffeb781a1f2ed2966139

SHA256
0fcd7ae491b467858f2a8745c5ecdd55451399778c2119517ee686d1f264b544

SHA512
9d23e020875ed35825169a6542512ec2ffdb349472a12eb1e59ddc635e57c8fd65fa919873821e35c755aa7d027c9a62d3d0fa617340449d7b2c4cf8dd707e93

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
4c81277a127e3d65fb5065f518ffe9c2

SHA1
253264b9b56e5bac0714d5be6cade09ae74c2a3a

SHA256
76a6bd74194efd819d33802decdfddaae893069d7000e44944dda05022cfa6d9

SHA512
be077b61f3b6d56a1f4d24957deaf18d2dff699bda6569604aac4f1edb57c3cfd0abc5e2a67809f72e31a90b4aed0813536c153886da2099376964c60e56001a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
2158881817b9163bf0fd4724d549aed4

SHA1
c500f2e8f47a11129114ee4f19524aee8fecc502

SHA256
650a265dffdc5dc50200bb82d56f416a3a423eecc08c962cfd1ba2d40a1ff3f7

SHA512
f3594aad9d6c50254f690c903f078a5b7a58c33bd418abdad711ebb74cfbdb5564679593e08fb2d4378faaf4160d45e3d276ba1aa8a174ed77a5791bcac46f28

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
da6cd2483ad8a21e8356e63d036df55b

SHA1
0e808a400facec559e6fbab960a7bdfaab4c6b04

SHA256
ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

SHA512
06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
9e62fc923c65bfc3f40aaf6ec4fd1010

SHA1
8f76faff18bd64696683c2a7a04d16aac1ef7e61

SHA256
8ff0f3cbdf28102ff037b9cda90590e4b66e1e654b90f9aea2cd5364494d02b7

SHA512
c8ff15373b37e848e6239a82424569e77c82a5fc557d17e7d2ed1d0d2b2f7d026cc1e2bc98cb5ee945c02cfefb82803c23fa6a26f48ff0adcf762f94cd5dd035

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
10c429eb58b4274af6b6ef08f376d46c

SHA1
af1e049ddb9f875c609b0f9a38651fc1867b50d3

SHA256
a1f6ba57ee41e009d904905c0ce5e75a59ee6790e08542561303109e1faafa13

SHA512
d8760f61760bffd8671b727d386ae220e7e6e68829a01553cfd5eb60ef8bd1d7c1b25e7b17a6db5bd17ba6712ef44999726764459318e784843c73bc4facaf46

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
5c026fd6072a7c5cf31c75818cddedec

SHA1
341aa1df1d034e6f0a7dff88d37c9f11a716cae6

SHA256
0828572e4fa00c186dbf1d9072a6154d65cb499c6a37e338f3305f77a2fee382

SHA512
f9d28714b2a05f8d9025f1692e4d7e8baa6daf6176353f65646a38814a242ef2adededa44419edd69f10cf96ffba506dab7cb6e52111457bf69cffef12174b12

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
189ba063d1481528cbd6e0c4afc3abaa

SHA1
40bdd169fcc59928c69eea74fd7e057096b33092

SHA256
c0a7a1df442ac080668762df795c72aa322e9d415c41bd0a4c676a4dc0551695

SHA512
ce59ad9b17bab4de1254e92ce4fe7d8c8242832f62ab382e8f54199a9932cd11b5800cc33895441426373d5210cc74104e0271b721a7e26ed400b716ae4d5903

Download Submit
C:\Program Files (x86)\Steam\resource\filter_profanity_english_cached.txt

Filesize
1KB

MD5
0042941c1dd0faae8e94225c5920460b

SHA1
16c9435178382d8836c420c7e697c4e1d0be3550

SHA256
6bf85de2b48391f7bd3a87a0a66f5c0bb0b59fdf46f079fd8ac6dfd3c810d158

SHA512
98eb60908db687cd0dfb9e8f6ca5a2f9ea99afd6e9096304f7ae8b11c0b3d64991a67b88bdd72cee803c320469e70b634823d8fb48cb09bbee165b9bd7bd026d

Download Submit
C:\Program Files (x86)\Steam\resource\filter_profanity_english_cached_timestamp.txt

Filesize
29B

MD5
3dafa5700e92af26da8b07c0720880ba

SHA1
3f4780dc78d8584bd7096a42bbeb73b2687672e8

SHA256
b5bafd9a43e607642ef278ee51d2291992e5affb2ab09ec8cefeb79e47799de5

SHA512
2cae6ad1290e8a24f6b14fcc27a045931d4c7732ecae7f3ff6bd0a08ae8ffad5d41cbdbba75714ec5c612cdf1c27171587a9aafe4cad52b52a790236983e5764

Download Submit
C:\Program Files (x86)\Steam\userdata\949520881\7\remote\sharedconfig.vdf

Filesize
165B

MD5
2cd149b64bb90bcb706d80f5c46674ad

SHA1
49ede36bb0c9819245f4a176c31e818caeda2b6e

SHA256
0f52ee2815b398d3ddbcd655d01e17eb8cdb0ecdce0a8550cc10fe5407717a55

SHA512
6ad8509c31af962eb2e8c96f546a51671e4b97ae3b64eea3b90bc862a4451411301b089e482e454296dd41b82c031e22c2ac2a258e6bdc6c1190563791df1b3f

Download Submit
C:\Program Files (x86)\Steam\userdata\949520881\config\localconfig.vdf

Filesize
3KB

MD5
9eb5b3a12d70ff4efd675bbf2b36237f

SHA1
b91f8e8146a472e98c316b31a43c09401433505d

SHA256
195cccc6763c625f9d3606f6ae2ed1f62a722de6d7c197dfdaba0b18af01f4c2

SHA512
32c9f63c793090afdfe211c37bc855d458ec80166f74b087776e2dcaa4d505a2c70973ddaab0952120f30d09886af741bd6912da1b63ed4b0e6970bcccfc606b

Download Submit
C:\Program Files (x86)\Steam\userdata\949520881\config\localconfig.vdf

Filesize
4KB

MD5
6827772947c345a19054c45f75618cd6

SHA1
dce90daa0d37e0b2410ed0a81107ddd64e3d2087

SHA256
5f51f91848789c1111614370833eff940d2dc75a9e8d055536d2a2bbf9a81f51

SHA512
6eff8f6834a378013f5948ac669be277fa91ebcaaba7b9e886ec1cf83bebf00a0a91d644e3d5fac79f25a8ac159d87e48d4be1639b7cf4908d2e79de2a4c28e8

Download Submit
C:\Program Files (x86)\Steam\userdata\949520881\config\localconfig.vdf

Filesize
39KB

MD5
3f461f44a762a426a5297abe31f64993

SHA1
b6f02b04b346bfcf3d4273db573ef35e4b3350f6

SHA256
3630e37e83d02ea4cb0878908aef0d2cd47409ce6604e7599ff4436c5f1e7db1

SHA512
c7ccc3734a7f77d7e2c017e2678ce505c17b68c198072dd33852149ddb44345bead4144bf0fa86787d59a2fcfce955c5a67fc92cb121d7946c43379aed685785

Download Submit
C:\Program Files (x86)\Steam\userdata\949520881\config\localconfig.vdf

Filesize
3KB

MD5
b6474c931dc149db17ac91e6b1c75a42

SHA1
ff04503d829506b89115db87b5eb1551d40557c5

SHA256
e0a1d19f4a5d5e8ca0b5d6b9c2670b614a751f5dc2808214013e7a2d7cb91df2

SHA512
1b118334abb7e741747a25916636185669f2df32500c67fcf1cede4abbd40fb4104dc40b0d2937083a4e6716bb981879b196fd54d26702811d01b33638532022

Download Submit
C:\Program Files (x86)\Steam\userdata\949520881\config\localconfig.vdf~RFe5de07f.TMP

Filesize
1KB

MD5
9656454789961a0271260d9db8bb766b

SHA1
fe0f5764f5ad5f5574c414005c22ca79fa9f0200

SHA256
b786a5b7abd23af31fdee412f8f576f39a857efd17a231052876b4fa2f91ad18

SHA512
fa4a6fd584551a23e92cd7d358885b1a30939f7d275a82ea6554ca886232c7ddde7da7d9a68a11cd40ce5a750f45b821026d3c19a8655a02991849900ae4675c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
0a33713f4320be61de2679c1a601e60e

SHA1
a0b7dea51f371e0a7766cdcc6463c7ee9509c94e

SHA256
c2bb2ec86ba57e4a72b66cc3d6bfae3337b86514f71e55833e987783f704193f

SHA512
3326c7e4df151133806d285d4d43da08d2d9cc6bc15d9645f25b31f127edf0d32af03f3d236622a56e573e7ead2a158a40813d6156e5f375413d808a248972e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\31ff589d-d20f-4593-9a82-efbed7ab0e01.tmp

Filesize
16KB

MD5
b394b573c725ddbb7259c266e9c9878d

SHA1
24f26271116db10d7b97bfe852e8de176cccae8e

SHA256
50a55812d0d57a0b1d0164dd19f56348ed6008814ef7ec3bae1cf1507b1e6e14

SHA512
d9e9534b07ea53519aa7a576fb63ac36198522a875f87ec79246b235210f5e54ccbc8edc4f114b33f63eba34570aa394f714ffa74858b93ac6ff0d9bd5eefe5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000007.log

Filesize
21KB

MD5
5716385fbf724fbad1b2f3325c9d16e5

SHA1
d7d669f739fee5735fb93ae0319469408e2a12e4

SHA256
fc37eafd755e325fd422378944bee7c1f145e739906049bd7a5d26c551ca3097

SHA512
a8b71e99985cb7ac6978d3c00a6af73e066a4a3aa2d8ddabdbd8e764ed2af018408272206ea69e97d403dbaa924c8febb587b615275f82086dd890f6ebc6a830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
334B

MD5
3d8ee930226e44405afcb76f988345cf

SHA1
02ebf4062195636b697c22d08d7934f90c99b33a

SHA256
0368ca2bb6723cdc4c6ae931f861bedaac4898a9d1e3060962ef398c5353567e

SHA512
65741c9fe5a8e0861ffbcf5b9abfc864ae6e594ab4b1d06830a169bc8a0b2adaa3f6a578e7ee7466dc817691562445e17e8e918ced155bc5933d38e8ff205907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000af

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b0

Filesize
67KB

MD5
cc63ec5f8962041727f3a20d6a278329

SHA1
6cbeee84f8f648f6c2484e8934b189ba76eaeb81

SHA256
89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1

SHA512
107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b1

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b2

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000114

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
7b50bfbb260e5ffd4db3e9dd1cad4c80

SHA1
c08579ddb04b23b9e7d849a4d5b7d4c6f8fa1f6f

SHA256
8df4f0e9c32e0d7173b2b8396dc441b132eea5b4b13e66ff3249bb9993413f92

SHA512
268229a16812caf495f7837d1154e004e52186f5b31958c55cfb0592d49016899ac961db93229853574cd8e131ed5fed83a80f299573fa204069eff808915487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
bbb6fea9b3089242fc1548ef2e4a0733

SHA1
e718bf622273690635ff1a20ebdaa35621b02e74

SHA256
62426851ff11494754f7de2c92885e148e97ea34cf35fc461a1cad2565a04ba3

SHA512
4b8f3ed2a8f18523f1c5a9ef9ec49cbd4d6ba94d9adf34e3149a46b8d18caf3b722bdcc1621819a9ac12f62936d559184d30822dbc34aa316d6a7c709e537366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5cfcb7.TMP

Filesize
3KB

MD5
4ce8364b3da0c0020adbc2f1a27074eb

SHA1
7b81d556e6acb18ace58722ad3bc83046e4c34b5

SHA256
5039ea5d4f6bb3991225a41f182312f8d35afc9a2d4ded010769ef0bf9072284

SHA512
28679a999408268dc9814153cec83eac3243b0ea68c224b942974d6652855ef1c04c858c647a017265df22b1d713dc16711d53e5e164621e960e20c16522e13d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1fbbefb8a0fda60ead9b3679d58ffe21

SHA1
132fc59e77013dd25f8df8cde578a070712bf089

SHA256
a268159bf9d51887cd4ff89717c7d0fe5fe9f4c69fb48856bb506da65214315c

SHA512
781f894f9cc883376ff8a7896d1a454592267b4ac4ce474cb4954afeae892343de93c0900d69c0e4ed915075db09ec6eda333a489d7310bd91af3ea5879fdffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ed65472e539188211ec622ef5d3226af

SHA1
9e89889b6fef2d3f7c8c8e17833565696ffcccd6

SHA256
64b5756ed56aa1a0d786217f48e017a702b5dae767431a47732352f7fdc4e78a

SHA512
41f15dc89f30d50ba594a1bf71b3cd7d0356488df55b9cf96a97fcfafb5715da7c24274c2df1484a2a227daae4c45ae1dcab98a3eee041e4177ecdb0fc572462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
bb228366d47ae125bf3e38e60c9367aa

SHA1
02a06c3fee7fff0c828003514319dca62500b94f

SHA256
41e223a77c11c5ba80f02eebd475ab62fa3400e1be65acd1feaf77c75f06abc0

SHA512
eeda170ffbbd754e77638181357fef408afa8868fe2cbd4d1a43d569b522d67d4c54d0274e12c302dca57f47bd4aeadb37ff31678710ccdb4ed967386c4d8a84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
dc9f7df279f1ef1dcd3bd2b10223a739

SHA1
95f8c0e31f502b8b5dbaf86099940b3acca44080

SHA256
d6225f8764fca6514537663d4f2397687f945ad1c4986e212b68e1406824d79c

SHA512
23a4f16e29c9e76a57e450ca24b6f9e04402848917b6a430160ce648d49f0c7de76d94a50e383b829611da753af84e21d1e935b16835bf5664e0bba512a6c7da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
a83c853a1140c8c0fd45576c81a2cddf

SHA1
5bbe005c1874728b4eb929bc3b985ce64dd4b61a

SHA256
e94ffdd353e5251e973ed29966353e566878c9a74c7532002a441b46001f3dde

SHA512
79f321b2614b4477078d7f950a86e827b01cfdaf31acebbe28b1070bca69b8ca3e2387189b53f046316361c0b7f0db0ba427905447a5effb92134f115bf87093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
be3beb9c3ed05ad42a3bcde76686e874

SHA1
633eccd3de290195a1e462d1c66836364e14414b

SHA256
c1147ef82ae8377c7941c295c318dcd08ed2f990df66e20c1b5753cbf377be92

SHA512
5b9669db2eb39d6bd26d402bdb4dfe5e4474c617751d484988155e93233f07a07b960e1549d2a720dd9915b79eb3c246f72c4112d9f37335b8eec5a2d9add3be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
95c1e104243f80792810b52f16cbc6fc

SHA1
a498ec71b355fa82209cdea95c7fc0f723d9e921

SHA256
8dc49982fe868b26363ccf18e96fd668c68abed89837bfc7d2b8ef0c3b2355fa

SHA512
39624389c2c9563702ec6fe615b22193ee4fc6420aac1d2f981ee4fbbce010c950eea36c0fce5b5b6414c2974ab804c095c630a8a6461a90f50f3fa273588ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
887ea63b21a3e85da0b4d359cccec6af

SHA1
b849ea46d0c3b84ea1e0624efe9cc6ebdc52a509

SHA256
294997219441b680103632032b8fad14c4f3a7c04bdfecfc4154c8bbb273bdcb

SHA512
6df72ea1a47564337e880053a4a29fb9ddd7bb23f623c9a6faa0df21d1ac077c6f50fb96da9caf54ba3cfa0b6626bb6480239dbcbfb81e08890aded21fe21a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
52c4d82a735a9cb684dd4a74e9503a7b

SHA1
7b0502f5eda8617a54ef196132a502ad3acddb7d

SHA256
25e9811d2e941a2d8560aba4b04c7ec4b390699846c409b60eb7d2429b7439cb

SHA512
3cd9fb0fa74ff8981e5b05914f4beefb33516a3aefc55da4d25b3b4551e15a80a0a3b84eb87b215c0c8c4474751d4718ae52d85f5eec94ff91f319c04bb45202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1338f473-e005-4e99-bb10-960fdef18fbd\index-dir\the-real-index

Filesize
72B

MD5
df8cafd86b68dc3ad2424f8a7fec5a54

SHA1
55e2cee9c3e11d9c6da127966115a522e88f8164

SHA256
07aede6bcb4affadc72067f7eb78a13e123ac817f4d1870f588e60988fbac0f2

SHA512
a95c4785eba7679e9189aa3f914e0c833670292b05959db83c788f8066590e60686bc227efe95a3fcac5be41707c84b02bcd77775570c4ea9ff355ed51ee394c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1eabfa32-1d87-49e3-ad53-1a8c50b60c4f\index-dir\the-real-index

Filesize
72B

MD5
34701d1d7631845ac3a4a908ae1e28c6

SHA1
dcf07dfd6bfea799a507df2ba1d9cd036d5abe26

SHA256
25a4ec3187bce77b74d774c06b9eb8ed0ca4a9123758f20e807e99e9f8f76434

SHA512
af1947d5262ab5d4ed228c65b8a553c7e8656a0ef6effad65f3faea4b7700dffd3be42fe2b1cc613e93d5b30e225479b4dd4a2cd4580cb33096fd4ea73386e17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1eabfa32-1d87-49e3-ad53-1a8c50b60c4f\index-dir\the-real-index~RFe5cac74.TMP

Filesize
48B

MD5
a167396bfee1b91be640f4f60f06348a

SHA1
7e471b47fb995396fd85c7d4166cf90d58aed1ce

SHA256
6d42f250851177633f3071507c10d2899e68dc44a5bc0ed3732f3dad0744f4e4

SHA512
a78c9f7fcecc90c2451a7ab1a83fd8ec27bf84feaec2351c72aebc684cc7576db603f321a1320785c60b44301f7e8291701f1c1e9e0cd9dc0f6fa89b6c5780e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\7c81b238-b402-45f4-a60c-1aedbef45679\index-dir\the-real-index

Filesize
2KB

MD5
a8ce2e970a6fdcd8fce819dda75284d6

SHA1
ef34cb60d989f5297dbacd336b3ff326ef191ef2

SHA256
dfc2262947020d06bf96da7d410dd837f613f93ebec4a0d27149bb004aa067d0

SHA512
9a663b5fb6aa9394276e0fd72e082e82bae8153342a9908eb6b83ea14c16b5c28649e699dafc7c8116ab2c741c52af32cb8db70e07aa9f2d08d7344501836a71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\7c81b238-b402-45f4-a60c-1aedbef45679\index-dir\the-real-index~RFe5cbcc0.TMP

Filesize
2KB

MD5
ab811db997279e35e30d9cd97c8bb480

SHA1
a361a5a8e05180bff27b705df055f00d018d16a5

SHA256
8a0233c2e5dd3f833fb3589ddae123707749a849af61add4ad701e8d63b8ea94

SHA512
0f03d251f3e95ef7e79739aafba713c5528a8d62b7064b04057d06972251f055d885476012e2432542496992ffd0974acb7fb487bc8d0ba12d0b08d79faedca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\dfa4b6e4-3f82-47a9-9200-0d3fb4e10837\index-dir\the-real-index

Filesize
72B

MD5
50fcbe572df3078339c455f82b013470

SHA1
d8de73eed25a0ae0b05b40310241d8d680537128

SHA256
8af89efb4235527b8793fbee986bf6946037b77403a98a99cd102311e3d90199

SHA512
de49cc8d001485527ad58012d24a88ef906a6f5ff6c6af8ddf5d88b5b282e1829019f150b3d43ab9fb87207ef4766fb828ab0f4a249bc6f088494d34746fc8a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\dfa4b6e4-3f82-47a9-9200-0d3fb4e10837\index-dir\the-real-index~RFe5caf91.TMP

Filesize
72B

MD5
378280c9d34639627e1b00a5ad2b4692

SHA1
730cc2d59be43c1a008179cc377e1022a7ce13dc

SHA256
c88f903fe13873b631c1a89f9fa1f1d6055a9b11db14e845798061e1ca332256

SHA512
acb02c4f6226173f156e47b4d1a4ab019bfed9afdc4d5cbe39afc800ec106425675230af8d4cc143e4894bfbacc27f994055540e3d595876f0a8839c42106780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
6aac4e0f82695b56f3f555c5e6dbca4b

SHA1
2b37651c62fbe7028410e3e2cfe6c786a428ea35

SHA256
0d6eba928599877befdbae8593a7ddad8681d0c74723f5ab05ca97d7b4f984df

SHA512
1a2854718f89097a6d34538e0d0300cf17c693029dd13ace74cec8e0b5c65fc6f9d9fbd0bb82711ee0673987b7aa3372fbc93b47d34b4b4b5bc918fa7a9086fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
322B

MD5
9b124e16fb8e10b2d5b97f28bdaf051f

SHA1
8e1aaa88946cbfc823bbfb76d850535730a8bbbc

SHA256
c1a43313fb7e09fb2e8321dbc41d1324f380714db6ff2f9f8c0bfb93e3e930fc

SHA512
51b32a46f85925be56c6e98999c85643048ffce06b37273f42eb62dbe1918156a3da2041adb308b501d30b890d1fdf4743f1f78e752fe6d9f2de0a21accdac1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e9aaf1f83d431b907e1a5468a3d3fa64

SHA1
0f13a0e07bf631dd978756ae4e9ea33dc514d579

SHA256
76ab4121661622a12721c4226768bc6747c53575613db7ab3eee432370fefcc9

SHA512
ac48526c65666b017db04c7ed4561ff460c19a524bea650d792da117706e5ed7afbe8f7ec6aba81c600ca335aa0d903dadcd9066a99963b2aac8d5dd8060911d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5cb88a.TMP

Filesize
72B

MD5
60e7e2795e84fd6eed1b90f89716063c

SHA1
145695732e112ad4363748ed25426e9414566687

SHA256
f029fc15f83ac8bc4206f35017b29b03cbeafbf99e33853ba0828401a7d4334e

SHA512
d57732692476da99a401e67ec98a2939f3241b9d27798dd2b87f76e4ea5ef93e7ee93cd2435d2c1eb145b3574fd44b52bf5557afdc0f9c8cf61891e9f7cde59c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
32dc53fe06e5e56539b258da9c5c03f9

SHA1
b8c99dc6fa01cb2da00bc921cd00bf3a008436be

SHA256
c82dc9cb7f723c0bbf8382e42a2f1c4f38b877cc287567daea6175c9f2440a9d

SHA512
8f128a01e02687830e7aedd1d7b61a6136b4e232d375dd16ffc579a73259d767247e142863831734c73f868363d5ab13c53571ff4b17a0283f62961815c2a1a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\79003c92-a7db-4e3a-9939-88cab222a498.tmp

Filesize
23KB

MD5
3f39bd7516c5e03c5b867f3636459ca9

SHA1
1bfdf44140eae40f8d2f65b6703a0ee10821888c

SHA256
e279c35d8c3306200fb0518e50919acb985a06ee5e7f0f282498809c3f61fcac

SHA512
4f05afac2cd04b653a685f1014d8f11e36d4e376bd322ab4864cb8c85393d50f535c5f97fbeb79437914cdb7ea27a6f9955a7095c9a6fc576be9abfeb71123ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
10d501ab6143498d6b93b9941fda9e45

SHA1
97f625f70d3bd49d8a592f2e737d78604c1ea4e8

SHA256
f6cf17626ef639c3d1ec87d4d51dc7afeb9bb8e650912636c90d109af870deb1

SHA512
6ae5ec191e9be02333aa6ec5bd7eb81e64139c928f0492804a796c1534c96e9b1734373eb630c19c61f07e3bbe28fdc4a8952e604049ab4933e0327c8205ccfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
29e595ad60c16115c202c7b4e998636d

SHA1
71cea35d25f600cce2561919d7eb9a2188b1bf17

SHA256
3ed7542a6a728503172e6c76d101742a4d1d6995b2ab3de1868e2fc3fed9ee51

SHA512
ab03860eb64d48a405b85d26c350c57a09488940c02dc832896506357fb7a3add6b9ba4724b725fb07e67d339192830687198ea6423e63cab3e8eb67743a699c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
1ea6691dec2ff2fb901c9a391f46fe57

SHA1
4b152ae6301205cecbadf1a7fdde96d077b96166

SHA256
3921379f715cf4740d718fb4f449e1263be085093af617622803f014b733c703

SHA512
af204cb698075e1937051ebf0933e307e869c86a4646c4a93a68d0047818fa78ef9bb4ee4d835069bcb58ff7ca4e603924a3085e3ce5c00e4a436e4deaeed4ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
0705bb8fc4cc71d154602308496c012b

SHA1
e7fa2212fddd925fbdd2108033039b103f034165

SHA256
44f7d44e7a80ea118291c8b9b5efafac8791068ce3ff0bd2cd66aaa01c4b5fe9

SHA512
1c814fc09b1f08baca44eddd2c8d8290a26dad787d0b6a5254a7c0b2ee154aeb44cb71702b9dde1258eaf543f2fdfce06a02b347b42e8a50779654c886e9a57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
48121c38d8ffb7fd37be0686a72a70d1

SHA1
e79b878a8626e4f77eaa7f2fdf10b989aa66456e

SHA256
222fbd4aea125b105c28490eef33fe2ea4dd3e26eac768c1ba41d742d2777f8e

SHA512
3d2f8773c4d2c3810d2c5ef47a6fd5e646076d091d6b559b4c2e9e2504acf7a98fe65af28d7a99c1054f3c5f68dcde28a0d05382120caf25a5e462f24bc21309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
07316b8ab6474d9564da5a155dff6a8b

SHA1
a3050ebbe176bf1e1e68a387ff3017672bd12838

SHA256
5cb4955dc031b414d5f1685a7beb3e35882b2750ab07f54af2633d0ad6cb15f5

SHA512
c6d0bc4d0f307e71aff771ca54c500eb78092b2a8676fe186ef0dee758dc26dbebdf29140fe66d829eb484b2b24553b1205f6e1f38c7bc7ed8759b6c4f073191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
ce9065751957a463fb73e1dc103b0cee

SHA1
0f2e31778dde8d4f0d658ea99067497e47e10e6a

SHA256
e5365a4db555d16534b388aae3dbc713732ba62690d42d0ec6fb9621a6b1ad2b

SHA512
98375b844c53c32a3de1b56b61dec61d1962d0002b7f9e93aa636ec3491276e8d7da5d33cb3593bd5e093e9c58d646cb00e8ee38e973cb571b6ff2d39f8b93c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
0565e28e79b63b99714e9247544b5222

SHA1
75567b7bc9f12a468e80d4c6f2d181d52f3e9ad5

SHA256
bec42dad54dca017e62b91258b310aacaad7e52ffe89f299f485fba5bb34b188

SHA512
110a13ec33cf7b31cba5fe1d0a28eff2f0dd7c962254ae24d2f76c649b88c3925446b3729730f5ad60e6501faae55c13571c44773fa69418552d7b61197e5a8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
173cbe8030a93d719a1912cfe9bfc99f

SHA1
da2360deeab837c10736f7c4858bcb6a477ea06c

SHA256
1a74b71957b31edac5df18a964a6072a9f8f5e24b5b4ece983c853078a69648a

SHA512
0eb7a17c5ff1f89fe526fdacec10ee79ab49d49a5e910e90a15a8fab9af7267fb8b114fb6f2bfdd56b6b95c66785f1af8deef5575725aaad409a4a739b1b8503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
c12424d4ed8c046ba1d349dc366b109d

SHA1
414b98481e3462b63be68e74f928fb2aaea6a369

SHA256
a26238be5610244dec8bf21a3fea52cee24b3f7a6112aed7690e0ef63da2d5d5

SHA512
cb32459e07f54009dce79ccf8ebb96ae764c8e2309ecc460bf7c760eed6149440a820028791dbdbd205bb4c3ed513fef0b3a1db21c702e516eeef95382814d5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
6bd4f905438a95529493bf02afdd0300

SHA1
0eacd6a2258b64a21d530312eecfd32b5454be7f

SHA256
35c3091ba2978427ad9ec29ceea014b50e9acf0c17b671d4e3b344b5a4077541

SHA512
ede2acfac740e1919d3c72ed44c31f64c1b72d3eb2d9bd24bfe08ee5c6162b3ecb7aa12577ed6cff06bb4e3ae97fa8085d734b8c9db8a397c375976163a2f8f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
91cc5db585fd478d91975ab359620e06

SHA1
31f74469189eedf4ebbcd424af2c69f08385be8d

SHA256
0c6bdca76a4042e1f9734bafbabba393710596bb1d2ebd90c678e3e54e56ab6e

SHA512
517972e2d3f74d4aaaabd7104524816089547ceb1d2376a92a8e37e0f41f74f0db2638bfa9f1b868246e99371d3e8ae40103574ea36d50507b0ebf1292391bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
012dce19b78998826389f6a83673ac1b

SHA1
9288e5891dd40981ddd50ac241d74ae37df3fed1

SHA256
cd81466203b13c238d7768762002e86bbed121e67be4b48c99ded473f1cb9dd9

SHA512
4da21183c09a1fd4960689cee29bd2f0ac8bafeea6ba5e69923b2166fa883f1de733d077009ff32f39672fcfc72e3299d34f564ffbbbd934f6f074d9f011982a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe5cc089.TMP

Filesize
392B

MD5
c0902bbb4e942de7900c430564658439

SHA1
6c1bb078fa8d2c8de781c673da28e7c4c50c330e

SHA256
20d89de9b936207f96acbf39249a11f81ad4a91c72f9aa451a265be2717b0fbb

SHA512
9cf470394bb1f08732a8e0662bc79cd30306372cd0a8109e2b1bb578b58d7996ae0e06c8778b247d4b8fb0e3ac27d1533505fda7758e08770c1b9bd0bedaa513

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
c3c935ee5f405eaab663c44d62c6efa2

SHA1
39f4d253022291910b7534648ad0ba5d2f51de40

SHA256
2568e1f72cfc0982e9f7be79b649bf8f04bb91c8111f8bb4ac8552e6cf76622b

SHA512
466970c2bde664b31510e2c0de57afc8bcbd8e9ece42bc37161e86190156325a2c4fe9d5a24c6895974633cd99639b3fa5a5647f54fe41efa4d49e28efe813ad

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
0116caaf7cbc9b735035cb970d7d5785

SHA1
e11b99a44eb6ebd57e2ad021b127b07cc369d609

SHA256
2fefa30de15183063ac487c1757b92555d7d76a9656adfa2972d6f0667254989

SHA512
63f33f7181962af9b5e17cc42fb6921c38b06cf453c27183bdcf088ef79d6f6d639004352b0e8c37e657ed1cad69e68989e625cbeb9f8b469011d2ed87563596

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
5fa1a179d5b7935e3d51c1431a379d61

SHA1
5a7f188085b7e0237f6b70d5b583b35faf24b305

SHA256
72ed00716400ebe272ffccd7331d47dbb32ad22da7e79ca361c1bdcdfa43b786

SHA512
4c3f774e56e88d5e03914e839e615de837072d7fc2643ac9b9ba20dc08c174f18b045e88b690a21783c02aa044fc2af2f5f39ac359ebd9dd1fec9768b4bae0de

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
ad50571491228ccfc5a6c47089c0fe2a

SHA1
408bce83a82a4d53f610e1f8724bfca928710758

SHA256
38cc8c60d0de4b00daa6772683380f5ada753ed06201e089ec5ce14c3ab6b404

SHA512
edd24aa06fe315c6b3b8f8426444986cc1e4f30ecf9d8fdeda7e54129158106d2eacf844f86d80b3e907e478f049a25b38597d0edbfb4e2df8917cea5495ddc0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
40e4f7fa647f2b780c2cf8ee7fb9c1a5

SHA1
7b050a8e8b6880e2613ac2c7bd4160c1d2b8274e

SHA256
cd279cd2eaf8f08182953a4367ecceb93e69e491233ff5a06bf9243fe0284888

SHA512
1e985d4114c4e90909df2870198badeb7b5e11ee9e5a960b78b76c803b0947a3f7eeacdccfb1f8751048a40d603f518013958cf95f3a8dc8c80bdd7086021d92

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\9fbc9c0c-5e3f-45a0-a597-0363b0f9eb6d.tmp

Filesize
829B

MD5
48dc3d0a94c63ebd7836c22cdae75062

SHA1
16d6c90f9660f8dfbb725e913fe878915964d6ad

SHA256
1d9497c20eb3bb983c7cbbfceb2291f07b43162aaff05fcaf456ba4ad9005a59

SHA512
9bbaad015f8cb9133a57b6c1e9895b1d21682da8448f1eaaf113743af849b3fc8efec327fe22c48fec50430de2fcea2c51e0989abda305fdef39b21836f64de8

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
829B

MD5
ccac06094ba2ed4aa027071eeb908ab4

SHA1
39ab7614dac82d9a34832f142f372068b968dd39

SHA256
96c5f9c64268e574562605551d302b5ce3f108e1996428e922df0114066ed994

SHA512
47e997dac1e221530af9b57cc6f4d6f3036ae9c27f5110047ce96e3d8f8cb2fd50db634c66b183faf57df56b9aff0f60d6920666d2b1910565790ff20053559f

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe5e6177.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
524B

MD5
49b5fb724ed3a9f5e99cb345723ec4c1

SHA1
ddc927ed3352c6013258cfe1fca654a1da45cdf4

SHA256
c84cbfcd76581cd7fb714fcb35537e08c8f0a41a1f99963fdb3348a5af3c2986

SHA512
85fbf0fc4b6ce5fc864606385a609bb7d4aa5c222c0fc1df7524de586c31919743b6c17acd298f3e20e1ecb8eb579354a69c23954e48eb0207f202c3ded64fed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
524B

MD5
5fc5914a8edcdc366940ae39a4c43f33

SHA1
e706b40eb48503f2fdb00ca4b41f213953e05297

SHA256
2f280d0df58702dc64e67c0b47b9be451cd2e401f183cafaf13007f9e5cbaeee

SHA512
8cc3565c87942972e874afcb97bb954b0234dc52253b0d30b325d7db0987bef6a561120ea9f8a9485fb9dcb64ea728d1d6ad27012fd59aec2ce734ffc2ed60eb

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
524B

MD5
6a5e731188aaa6e0f83d69d19a2a5cd8

SHA1
4f84895fd75086d0c361dadde297f2b890c2b143

SHA256
852f3ba8f67fb6570967937cff3c98656af1b852bd4b091db735110edfe9b69e

SHA512
94de9c213d3d4f1115d838b112ad36ac365d37f291dd546c3be3c0b3b47a0944e38abe74ed3a823c7f9f96c1b429cfcdd9d937e3fe3e3d9c0802c92fbdf36c19

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity~RFe5e1d0b.TMP

Filesize
188B

MD5
0480ef74c8217fc919a0a1d1e4f87516

SHA1
cc09e9dbaa4df5c9b73be843c4f0ee4573551a04

SHA256
8a6ec6ce7903d5516b2d344624e28bbe890a1c174f8cbe93225845dbbf48b35d

SHA512
2b392da568dd88ea36fc953ae4bf9394614ae129eaf659ee06f06286298bfb6ef0de5b9baaaadc6cd7c6f83731bbe326cd0ab01fce7167c7b0054bac6c91a4cc

Download Submit
C:\Users\Admin\AppData\Local\Steam\local.vdf

Filesize
1KB

MD5
2609381f35b736fc731aafa7b99665d3

SHA1
269ff9c047068e83473ee942a9be11e9e856f5ff

SHA256
3cf7a5597344489141c26fb7c80bb1ce979c49ba7239ea25a787f4afdd21f1c3

SHA512
4c64cd53d58bf3bf5de50e811cbe87bac4f2adae1ab6ec2bf139931af8814239e686970d2eb5832d86e48ce516198770b194be4c4d9e3c1c5609d5aec7a16074

Download Submit
C:\Users\Admin\AppData\Local\Steam\local.vdf

Filesize
117B

MD5
350f2e5394aee9de9db65a10b4fe74d9

SHA1
b3a3ae0474a2176eba8973e23e4174848bfa9ccc

SHA256
722b397d0dc0ad71d2237184018ab6a17b1404011f23e1909d421f75e1a23523

SHA512
c4f0639393c3cf006078832ccc946849bcea1399ba61ee7b56c9497f6c31c46a172691ee60251a037474b43fa7df18579170b4cec602ae6a6d71583636b18b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC2BD.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC2BD.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC2BD.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC2BD.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC2BD.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC2BD.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
11KB

MD5
10fd3c1e610cc2b76cbb96fcbea49be1

SHA1
dd316a52886cd8f2a5b52a16a14e4177fb33b9ce

SHA256
46a9c4776b2ea91532faf76e7a67c727d4f59c98b01af72610c38ab1b8e5950a

SHA512
039152be3d00e78e26e37d66446bf03b93e0042ad115ed18dc3e351e93aeadf663538630524adea1b3f5445fde3e5bd7a13a086b14908ce39b5907184d941e07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
11KB

MD5
2c06d09c1883778e53987d37511160b0

SHA1
4dcb32591b1ba88d25ff1059fd80742da21eca2c

SHA256
19de39a0839ef4394a8965becca9d2a57b67dccf8cae4d6bc043e49f0d06df6d

SHA512
8fcb8af6359787fd2ad94db67a76e8e2e6f1760a84490476bb96f48e75f3d0f3aa1b75fdca46e60e27a5247216b65b58243686d772ecafb86fffd203b88cea68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
11KB

MD5
94210081ca100582f22a71086d694cdd

SHA1
b01df09edf3ea08cbb8350457fc3f4aa75c538d3

SHA256
4ba559e96b4c54502c213447f6fcc773149aef7cefc32bdc72d9126b56816978

SHA512
88b2b29398e754e7527859c8a0620292c607f414809882d657fb158789968fe7269feaf0ce8ae7f75be59f53e70a350ae3b257c246e4e8c04491427cc6224cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
11KB

MD5
a809a577927cde2274f8dab7ad27affb

SHA1
744a30aa1bd27ca15fb46dffa214a5465348d60e

SHA256
c0214bf55775198bda1fa61c6aaa9a713fdf41ecc052ec64aba35c7a64e042be

SHA512
08071ac0c12433d4128234f2d55e0b1f32195bc15f7895cf0f9bc39793c4372e15cbc3e6043a46007515e49cd89c0f8dfeaaafa53a1998f05ea94e1f23e43ead

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
6KB

MD5
4ce3ada04fde2ed1a9185db814fe9997

SHA1
27f39432435b8430e3802598ed9523405a5fd32c

SHA256
5093870f04e631e8875d3eab263a12102b93dded10eb0fb8188c35d3040a5ee3

SHA512
f9ac1012f707c8bae40c91a72a8f0f03990d7308097ee8c09bbefb3f2d3cbb597cae097e6ee85dcbeccdd3f89e13ce6ffb02ab84dac3660b90603d749275f2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
11KB

MD5
924aaf31456e939531af25a451d55243

SHA1
b3bf70ca00c7f0bde05bcb23dd588329b09e9760

SHA256
1cfc0e19a335dac77990c814fb341bccdedec730b382ffb9694532d2ae792cf8

SHA512
567ef6efe95663d8b9d242e72adfc9645a20a63513e1efb814b5cd3ed73b5d30870c58d83ee9eb3b7e0f4f350a218dc0ba9b9fd5871eff02805a4aaec1029149

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
6KB

MD5
26c24c2a23172a720d9d23513661f8bf

SHA1
3ab9439395ea5449dafadf8d44244e890c0212d8

SHA256
fb805e1bec44c5b53aa709c944123cdaea65fca4f8d9177d52527d34290efc9e

SHA512
2ea03c29c06f3831a23091b43ef80599769a0c9d3bd3c642bfd871e59162cb65833acefbebcee659fc0d5ef07bbc4cf030ecaab63e4f2c0ecf9bcb19a937ee12

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1458967923\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-bn.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-mr.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4528_1595666558\hyph-nn.hyb

Filesize
141KB

MD5
f2d8fe158d5361fc1d4b794a7255835a

SHA1
6c8744fa70651f629ed887cb76b6bc1bed304af9

SHA256
5bcbb58eaf65f13f6d039244d942f37c127344e3a0a2e6c32d08236945132809

SHA512
946f4e41be624458b5e842a6241d43cd40369b2e0abc2cacf67d892b5f3d8a863a0e37e8120e11375b0bacb4651eedb8d324271d9a0c37527d4d54dd4905afab

Download Submit
memory/3200-14024-0x0000000000570000-0x0000000000A22000-memory.dmp

Filesize
4.7MB

Download
memory/9692-14180-0x000000006DF10000-0x000000006F2DA000-memory.dmp

Filesize
19.8MB

Download
memory/9692-15945-0x000000006DF10000-0x000000006F2DA000-memory.dmp

Filesize
19.8MB

Download
memory/9692-15247-0x000000006DF10000-0x000000006F2DA000-memory.dmp

Filesize
19.8MB

Download
memory/9692-14492-0x000000006DF10000-0x000000006F2DA000-memory.dmp

Filesize
19.8MB

Download
memory/9692-14206-0x000000006DF10000-0x000000006F2DA000-memory.dmp

Filesize
19.8MB

Download
memory/10544-14068-0x00007FFD5A470000-0x00007FFD5A471000-memory.dmp

Filesize
4KB

Download
memory/10544-14069-0x000001541B900000-0x000001541B901000-memory.dmp

Filesize
4KB

Download
memory/10544-14202-0x000001541B8D0000-0x000001541B8FB000-memory.dmp

Filesize
172KB

Download
memory/10640-14203-0x000001F09E860000-0x000001F09E88B000-memory.dmp

Filesize
172KB

Download
memory/10640-14078-0x000001F09E890000-0x000001F09E891000-memory.dmp

Filesize
4KB

Download
memory/13004-14539-0x00000238C4190000-0x00000238C4191000-memory.dmp

Filesize
4KB

Download
memory/13004-15012-0x00000238C4160000-0x00000238C418B000-memory.dmp

Filesize
172KB

Download
memory/13900-14738-0x00000174E9410000-0x00000174E9411000-memory.dmp

Filesize
4KB

Download
memory/13900-15537-0x00000174E9210000-0x00000174E923B000-memory.dmp

Filesize
172KB

Download
memory/20064-16790-0x000001CB98030000-0x000001CB9805B000-memory.dmp

Filesize
172KB

Download
memory/20064-16531-0x000001CB98060000-0x000001CB98061000-memory.dmp

Filesize
4KB

Download
memory/20096-16534-0x000001D666D60000-0x000001D666D61000-memory.dmp

Filesize
4KB

Download
memory/20096-16740-0x000001D666D30000-0x000001D666D5B000-memory.dmp

Filesize
172KB

Download