20757c361f653b52a5e4c8ee12f0fb4ae78a8ed60b8e214cb86f279798ee23d0

Resubmissions

15/04/2025, 15:22

250415-srw5gszyes 8

15/04/2025, 15:08

250415-sjcqwazxcz 8

Analysis

max time kernel
134s
max time network
137s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
15/04/2025, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

steamweb.exe
Size

15.5MB
MD5

2557af1cde18cc05e215ac65547b4d84
SHA1

49d94a7dd93ba7bb3e6062f112e15ed17cd718ab
SHA256

20757c361f653b52a5e4c8ee12f0fb4ae78a8ed60b8e214cb86f279798ee23d0
SHA512

307648c30f29125cad241b774689593ade6735e0054ab372210717b4b27febf27aaace94941c221b582d65efcf1db49ce34a2427948c0a78d0346ad8cd8500cd
SSDEEP

393216:NcjJzQH4Z4+D6F4vh+viahsj9l61+TtIiW0VJWLlW30:su4ZX52W61QtI2Ei

Score

8^/10

steam discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
77	5444	msedge.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Deletes itself 1 IoCs

pid	Process
20420	steam.exe

Executes dropped EXE 29 IoCs

pid	Process
556	SteamSetup.exe
424	steamservice.exe
3216	Steam.exe
480	steam.exe
16472	Steam.exe
16536	steamsysinfo.exe
16604	steamwebhelper.exe
16640	steamwebhelper.exe
16788	steamwebhelper.exe
16924	steamwebhelper.exe
17124	gldriverquery64.exe
17204	steamwebhelper.exe
17324	steamwebhelper.exe
17772	gldriverquery.exe
17792	vulkandriverquery64.exe
18544	vulkandriverquery.exe
20420	steam.exe
20444	steamerrorreporter64.exe
21228	steamsysinfo.exe
21352	steamwebhelper.exe
21384	steamwebhelper.exe
6260	steamwebhelper.exe
6516	gldriverquery64.exe
9928	steamwebhelper.exe
21600	steamwebhelper.exe
21692	steamwebhelper.exe
21840	gldriverquery.exe
21872	vulkandriverquery64.exe
22000	vulkandriverquery.exe

Loads dropped DLL 64 IoCs

pid	Process
5084	steamweb.exe
5084	steamweb.exe
5084	steamweb.exe
5084	steamweb.exe
5084	steamweb.exe
5084	steamweb.exe
5084	steamweb.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16536	steamsysinfo.exe
16536	steamsysinfo.exe
16536	steamsysinfo.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16640	steamwebhelper.exe
16640	steamwebhelper.exe
16640	steamwebhelper.exe
16472	Steam.exe
16788	steamwebhelper.exe
16788	steamwebhelper.exe
16788	steamwebhelper.exe
16788	steamwebhelper.exe
16788	steamwebhelper.exe
16788	steamwebhelper.exe
16788	steamwebhelper.exe
16788	steamwebhelper.exe
16788	steamwebhelper.exe
16788	steamwebhelper.exe
16472	Steam.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16924	steamwebhelper.exe
16924	steamwebhelper.exe
16924	steamwebhelper.exe
16924	steamwebhelper.exe
16472	Steam.exe
17204	steamwebhelper.exe
17204	steamwebhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Detected potential entity reuse from brand STEAM. 1 IoCs

phishing steam

flow	pid	Process
30	5444	msedge.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\public\steam_welcome_large.tga_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\icon_cloud_outofsync.tga_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_koreana.txt_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_l_up_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\xbox_rt_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_button_logo.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_lstick_click_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\voice_busy.wav_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_down_default.tga_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_ltrackpad_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_touch_doubletap_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_r_touch_sm.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_button_mute_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_button_steam_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0364.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_touchpad_down_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_r3_sm.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_lstick_left_sm.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_l_left_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_outlined_button_x_sm.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_rstick_up_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_p2.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\chkselstd_sm.tga_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\hp_l4_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\joyconpair_left_sr_sm.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_outlined_button_b_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_rt_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_lstick_touch.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\movies\bigpicture_startup.webm_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\gu.pak_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\xbox_one_danish.txt_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_rtrackpad_left_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_mouse_scroll_up_sm.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\switch_controller_indonesian.txt_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\trackerui_danish.txt_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\trackerui_korean.txt_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_dpad_up.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_r5_sm.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_button_l_arrow_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0070.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_070_setting_0090.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_r_touch_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_color_outlined_button_square.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_touchpad_edge_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_p2_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_apple_wasd.vdf_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\styles\steam.styles_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\library_capsule.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\stream_disconnect_notification.tga_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_l1_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_l_right_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_button_home.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\xbox_p2.svg_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_lt_soft_md.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_l4_sm.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\friendsui_turkish-json.js_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_reload_over.tga_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\switch_controller_japanese.txt_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_czech.txt_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_l_swipe_lg.png_	Steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_outlined_button_a_sm.png_	Steam.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4724_248967646\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4724_248967646\manifest.fingerprint	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	steamwebhelper.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4724_248967646\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4724_248967646\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4724_248967646\_metadata\verified_contents.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	steamwebhelper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamsysinfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamsysinfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
20296	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133892033686883975"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-137520623-1834890667-2396102459-1000\{8DDD4ED8-CE2D-4CEA-AAFD-9DDC9FB2B3E6}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-137520623-1834890667-2396102459-1000\{BB21CF50-7F33-4C44-9FED-4410C3ABF1C8}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\steamlink\Shell	steamservice.exe

Modifies system certificate store 2 TTPs 6 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Steam.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
556	SteamSetup.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
16472	Steam.exe
20444	steamerrorreporter64.exe
20444	steamerrorreporter64.exe
20444	steamerrorreporter64.exe
20444	steamerrorreporter64.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe
20420	steam.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
16472	Steam.exe
20420	steam.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	424	steamservice.exe
Token: SeSecurityPrivilege	424	steamservice.exe
Token: SeDebugPrivilege	16568	taskmgr.exe
Token: SeSystemProfilePrivilege	16568	taskmgr.exe
Token: SeCreateGlobalPrivilege	16568	taskmgr.exe
Token: 33	16568	taskmgr.exe
Token: SeIncBasePriorityPrivilege	16568	taskmgr.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeDebugPrivilege	20296	taskkill.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeShutdownPrivilege	16604	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	16604	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe
Token: SeShutdownPrivilege	21352	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	21352	steamwebhelper.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
556	SteamSetup.exe
3216	Steam.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16568	taskmgr.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe
16604	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
16472	Steam.exe
19964	steamweb.exe
20216	steamweb.exe
20420	steam.exe
20420	steam.exe
21228	steamsysinfo.exe
21352	steamwebhelper.exe
21384	steamwebhelper.exe
6260	steamwebhelper.exe
6516	gldriverquery64.exe
9928	steamwebhelper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 5084	4856	steamweb.exe	81
PID 4856 wrote to memory of 5084	4856	steamweb.exe	81
PID 5084 wrote to memory of 5636	5084	steamweb.exe	82
PID 5084 wrote to memory of 5636	5084	steamweb.exe	82
PID 5636 wrote to memory of 5248	5636	cmd.exe	84
PID 5636 wrote to memory of 5248	5636	cmd.exe	84
PID 5248 wrote to memory of 3808	5248	cmd.exe	85
PID 5248 wrote to memory of 3808	5248	cmd.exe	85
PID 3808 wrote to memory of 4724	3808	msedge.exe	87
PID 3808 wrote to memory of 4724	3808	msedge.exe	87
PID 4724 wrote to memory of 4848	4724	msedge.exe	88
PID 4724 wrote to memory of 4848	4724	msedge.exe	88
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 5444	4724	msedge.exe	89
PID 4724 wrote to memory of 5444	4724	msedge.exe	89
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90
PID 4724 wrote to memory of 3688	4724	msedge.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\steamweb.exe
"C:\Users\Admin\AppData\Local\Temp\steamweb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\steamweb.exe
  "C:\Users\Admin\AppData\Local\Temp\steamweb.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd /c start https://store.steampowered.com/about"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5636
  - - C:\Windows\system32\cmd.exe
      "cmd /c start https://store.steampowered.com/about"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/about
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3808
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://store.steampowered.com/about
        6⤵
        Drops file in Windows directory
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x25c,0x260,0x264,0x258,0x26c,0x7ff8c9f4f208,0x7ff8c9f4f214,0x7ff8c9f4f220
        7⤵
        
        PID:4848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1800,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:3
        7⤵
        Downloads MZ/PE file
        Detected potential entity reuse from brand STEAM.
        
        PID:5444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2
        7⤵
        
        PID:3688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2544,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=2964 /prefetch:8
        7⤵
        
        PID:4900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3416,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
        7⤵
        
        PID:5436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3436,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:1
        7⤵
        
        PID:4080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5220,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:8
        7⤵
        
        PID:3416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5096,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:8
        7⤵
        
        PID:5804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5640,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=5748 /prefetch:8
        7⤵
        
        PID:5292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5740,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=5876 /prefetch:8
        7⤵
        
        PID:932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5740,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=5876 /prefetch:8
        7⤵
        
        PID:3704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5148,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=5784 /prefetch:1
        7⤵
        
        PID:5560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6356,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:8
        7⤵
        
        PID:2364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6288,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:1
        7⤵
        
        PID:868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4812,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=6084 /prefetch:8
        7⤵
        
        PID:2432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6612,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8
        7⤵
        
        PID:700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5064,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=6768 /prefetch:8
        7⤵
        
        PID:4252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6796,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=6920 /prefetch:8
        7⤵
        
        PID:2120
        
        C:\Users\Admin\Downloads\SteamSetup.exe
        
        "C:\Users\Admin\Downloads\SteamSetup.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:556
        
        C:\Program Files (x86)\Steam\bin\steamservice.exe
        
        "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6416,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=6780 /prefetch:8
        7⤵
        
        PID:5796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5936,i,11277216376290991203,1836273971797578163,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:8
        7⤵
        
        PID:13828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
        7⤵
        Drops file in Windows directory
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        
        PID:18368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x274,0x7ff8c9f4f208,0x7ff8c9f4f214,0x7ff8c9f4f220
        8⤵
        
        PID:18400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1732,i,13495790870607425793,2216956236950829043,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:3
        8⤵
        
        PID:18660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2152,i,13495790870607425793,2216956236950829043,262144 --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:2
        8⤵
        
        PID:18692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1392,i,13495790870607425793,2216956236950829043,262144 --variations-seed-version --mojo-platform-channel-handle=2728 /prefetch:8
        8⤵
        
        PID:18764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3960,i,13495790870607425793,2216956236950829043,262144 --variations-seed-version --mojo-platform-channel-handle=4016 /prefetch:8
        8⤵
        
        PID:19344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4092,i,13495790870607425793,2216956236950829043,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:8
        8⤵
        
        PID:19140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4092,i,13495790870607425793,2216956236950829043,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:8
        8⤵
        
        PID:19128

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:1628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Steam\steam.exe" -silent
1⤵
PID:5376
- C:\Program Files (x86)\Steam\Steam.exe
  "C:\Program Files (x86)\Steam\steam.exe" -silent
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  PID:3216
- - C:\Program Files (x86)\Steam\Steam.exe
    "C:\Program Files (x86)\Steam\Steam.exe" -silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:16472
  - - C:\Program Files (x86)\Steam\steamsysinfo.exe
      "C:\Program Files (x86)\Steam\steamsysinfo.exe" -steamid 0 -buildid 1743554648 -logdir "C:\Program Files (x86)\Steam\logs" -query 1 -out-file C:\Users\Admin\AppData\Local\Temp\300F.tmp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:16536
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" -nocrashdialog "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=16472" "-buildid=1743554648" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\Steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SendNotifyMessage
      PID:16604
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1743554648 --initial-client-data=0x288,0x28c,0x290,0x284,0x298,0x7ff8a72baf00,0x7ff8a72baf0c,0x7ff8a72baf18
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:16640
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1743554648 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1584,i,1414414837589700058,11225426448781016451,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1588 --mojo-platform-channel-handle=1576 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:16788
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1743554648 --steamid=0 --field-trial-handle=2208,i,1414414837589700058,11225426448781016451,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2212 --mojo-platform-channel-handle=2204 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:16924
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1743554648 --steamid=0 --field-trial-handle=3056,i,1414414837589700058,11225426448781016451,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3060 --mojo-platform-channel-handle=3052 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:17204
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1743554648 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,1414414837589700058,11225426448781016451,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3240 --mojo-platform-channel-handle=3244 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:17324
    - - C:\Program Files (x86)\Steam\steamerrorreporter64.exe
        
        C:\Program Files (x86)\Steam\steamerrorreporter64.exe -pid=16604
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:20444
  - - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
      .\bin\gldriverquery64.exe
      4⤵
      Executes dropped EXE
      PID:17124
  - - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
      .\bin\gldriverquery.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:17772
  - - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
      .\bin\vulkandriverquery64.exe
      4⤵
      Executes dropped EXE
      PID:17792
  - - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
      .\bin\vulkandriverquery.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:18544

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:480

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:16568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x3fc
1⤵
PID:17252

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:19292

C:\Users\Admin\AppData\Local\Temp\steamweb.exe
"C:\Users\Admin\AppData\Local\Temp\steamweb.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:19964
- C:\Users\Admin\AppData\Local\Temp\steamweb.exe
  "C:\Users\Admin\AppData\Local\Temp\steamweb.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:20216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /f /pid 16472"
    3⤵
    PID:20248
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /pid 16472
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:20296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""c:\program files (x86)\steam\steam.exe""
    3⤵
    PID:20380
  - - \??\c:\program files (x86)\steam\steam.exe
      "c:\program files (x86)\steam\steam.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:20420
    - - \??\c:\program files (x86)\steam\steamsysinfo.exe
        
        "c:\program files (x86)\steam\steamsysinfo.exe" -steamid 0 -buildid 1743554648 -logdir "c:\program files (x86)\steam\logs" -query 1 -out-file C:\Users\Admin\AppData\Local\Temp\696E.tmp
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:21228
    - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" -nocrashdialog "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=20420" "-buildid=1743554648" "-steamid=0" "-logdir=c:\program files (x86)\steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=c:\program files (x86)\steam\clientui" "-steampath=c:\program files (x86)\steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:21352
      - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\program files (x86)\steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1743554648 --initial-client-data=0x2a0,0x2a4,0x2a8,0x29c,0x2b0,0x7ff8a72baf00,0x7ff8a72baf0c,0x7ff8a72baf18
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:21384
      - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1743554648 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1600,i,744925463557851666,14603175774426063235,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1604 --mojo-platform-channel-handle=1592 /prefetch:2
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6260
      - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1743554648 --steamid=0 --field-trial-handle=2236,i,744925463557851666,14603175774426063235,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2240 --mojo-platform-channel-handle=2232 /prefetch:3
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:9928
      - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1743554648 --steamid=0 --field-trial-handle=3108,i,744925463557851666,14603175774426063235,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3112 --mojo-platform-channel-handle=3104 /prefetch:8
        6⤵
        Executes dropped EXE
        
        PID:21600
      - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1743554648 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3368,i,744925463557851666,14603175774426063235,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3372 --mojo-platform-channel-handle=3364 /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:21692
    - - \??\c:\program files (x86)\steam\bin\gldriverquery64.exe
        
        .\bin\gldriverquery64.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6516
    - - \??\c:\program files (x86)\steam\bin\gldriverquery.exe
        
        .\bin\gldriverquery.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:21840
    - - \??\c:\program files (x86)\steam\bin\vulkandriverquery64.exe
        
        .\bin\vulkandriverquery64.exe
        5⤵
        Executes dropped EXE
        
        PID:21872
    - - \??\c:\program files (x86)\steam\bin\vulkandriverquery.exe
        
        .\bin\vulkandriverquery.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:22000

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
6e6a2b18264504cc084caa3ad0bfc6ae

SHA1
b177d719bd3c1bc547d5c97937a584b8b7d57196

SHA256
f3847b5e4a40d9cf76df35398bb555117dfe3626c00a91f2babdedb619d6ad53

SHA512
74199ff275400b451642cde0a13b56709735676959d65da11ac76dd645ab11dac5de048ff7ede0cb8adb3a3056b3ecbeb3dc7481bac3768d02051e564c74b679

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
12KB

MD5
f005c7ca8c2479a45c19c22bffa940f4

SHA1
01b4a03035af919f066970b3e3fbb61a2c8cbcc4

SHA256
39b6cb35bc234ff436bb45e39f4bee339459fa8da29384bd531af357f62960c5

SHA512
07e8714909cf607059439688dd25742f1b759183487107750f38a9526ba8682d755cdfc9f846e9ba2119f852f7db1b68f1f37e22ce48c9721b288447e7607a3b

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
19KB

MD5
f1e444cf2d0326e76ae644ec45d7e07c

SHA1
0d65f33bf85095a8bdff756921307fe8b5397c92

SHA256
f36eee0c6d589b62f18282f759d4dbc74298cc337b6f96e91f7894a7cb97b1a5

SHA512
9e589c3c15192bd106b29f11c6ccfd72e472460995ad7e8fa06ba22efc1ab77d32495187be7b1c4598af626db589383896d0a17f38d28f05ea6cbee14d0eb31f

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
a2ec2e91c3ef8c42e22c4887d032b333

SHA1
e2c738a2e9400535b74e2263c7e7d1ecefe575f2

SHA256
8f9f970835f133258a7f740126012439385bbaa5a1d6a9d0d967a390977441c3

SHA512
b069d241efb19e09ec8b5e60ef6c43e00d5cc0f774b9340127c2180356dd1964ac625c1afdfaee5f99e72b26f56046fc329aadbbc365b403af765a55e9c9aab3

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf~RFe59387b.TMP

Filesize
965B

MD5
2c0545b265309c79b2110cb6ba1c5564

SHA1
12b7e653f8a32c540f920405a134c50c7d09b1da

SHA256
66f3f49300a602ec120df558f6166fb2f52b72eae13e06e6b471315b35716745

SHA512
bbb305cc7dbf379aac5d24c7ff1a15629f9dd3b4784adffacf41709c19f0c65c37a505802556bc188a8bcc15c8a99dba83dc3a992409eb46674c5a50fbe83822

Download Submit
C:\Program Files (x86)\Steam\logs\cef_log.previous.txt

Filesize
635B

MD5
2bc1254adcb1ce262bbe1c43583daae4

SHA1
964fccd417f8ba8244de7a6d92d4062c19bcb4c4

SHA256
f232bf048d0f4fda648d85f66563bb04b35ff8ecd31c71d1977ed797d1f421e2

SHA512
a254a6e9a71366379c1e497fa55bca52646e0051229efc13d477d26510d36ba965e394194bc348e62b7bb9910d47a5ac6a5db08a3e1da50f0c8dd236212fbd21

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
6704d1c4d61573d7952ba248238b1150

SHA1
26768c5cfb682afb97953836de24c2da338481f4

SHA256
aaa3a751de7affb56db7258faa4a79ba8bfc2594bfb22b031fad1144cd193b1e

SHA512
116ff51ee1396f163188010c0e0301959ff4431b24e2d16de5f53d3d32bc424b49bdc55dad0e4aa60c78ea665cd54a5dfb5ace67008adc4fe3374f409b9a68b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
50682d36ea29dc25028cb8219fc8a699

SHA1
f986acb0971c6b7337f450510cab2cb6f74164e8

SHA256
da7fcfc287a041747fbcd486e0e8791a5fb30c64e345e73918d41cee1f655484

SHA512
5e582708ff6a5e6fd56da0a1d5448fbde1588f704178a8347880357c8b29a113cb0660dc22ed2702ba34a7be7d7d7ac37451c16f473d03ce8273025e35d9bcc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00009c

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
cbb2d3f5c329ef060d6769422fa4619b

SHA1
776908f6acabf4814a85c265523be5ae7bcf61bd

SHA256
3dc0e2ae277e9c2c42e378ac5bb2bc17767ad7509802b2386e1cbc141e4be2b9

SHA512
1f0440f89276c3c7b624875db399827aa84034f88bfec8a58117f38e3edfdc25930139ac3821d98ec475b10993642fa327e9e45e3f23723d3703dd3c7f5c0dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe582ad4.TMP

Filesize
4KB

MD5
1aa15734dff1b3d6f3ad78fb9311d690

SHA1
bb096f1700185a700a1eaf40145d2e78c673a2de

SHA256
22299aa9be529f3ce70c57c1fe4b704ab6c094ddbedb9dc5222517342e60567d

SHA512
f2e175dbf76868ff910d95e3db1c59761357844d4210f7e6d7fd8e98644adc398cd55a263f68014fc094100701fef4a3d6d7a87be47fd39e2bfa175886a3d534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
50f57564faba245a4c990357bc9879fb

SHA1
ca252aa5a4e7f245166244950d0bdb978a187c6e

SHA256
c95abbfa836b3c069f42a9bd2f1b0c0519096ff55d08371d12d44044da566eb3

SHA512
37081d0940f3d87e7397f53467fc62bb556f02fb29b4af853a5616b823dad5b7e2e5065d3c04b124b539bbadf7a6d34a8f7082f58b6d678fc650c6559e6ea6bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
aa60e9f6c716487d916f710e8107579e

SHA1
bc62d2e7d135335bd5de8c366b07e536a3cdc562

SHA256
dd5ece361f934a15a2f768d8604472c9d6a3076730c7c7df53fdadaaf059ac0a

SHA512
d40cd80b67830a3e3edcf122798e4daa57605d4910377c7bed3489a6a40d085db3c12eb2d5fbef5b6ea09b509419858ab510f41992654da95cdf6dda557f2b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
fbb7f134df666d15457a22103249d2ea

SHA1
26569b34b919d84beba6509e7ab47dfd31f81d97

SHA256
d207871d02bed86bd3c302c776cc4cc87c0282156c243f1c100ba7fa4ce4b1b6

SHA512
ff1497d8719a103cc5b2ba24760be31d5afae4631c01ba64faa00daaee164dfc62097fbfd491ce41b3b3c1ca7bf7f491c0b0d9accddb0d5d38eba42836d8268e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
557e3d509310d997c11f2f11bfdc339c

SHA1
4ec7a67df44c9827f060007910bb3dc48025d1e4

SHA256
e37c11f29ad0e8f76f5df2d45db0b60bf8a82e35afb78629503d2d140b6003f4

SHA512
36cd60df4f7476abec80e35dc283bda3b4b8c407efc5b0eb574e40739c4fa3d9c3faeeb077e3c8a92a2a6bc54107798b944df20f2df52fbab7c57ca60cba327f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
685a86f243073a2046eaee861319491b

SHA1
edfbef5df77416f6943740ac4f817ea7378c7ace

SHA256
3fbd642765b7c2e7552fdb0795bd7650c4d725ddb1775debd7f5a7a997d7ab0c

SHA512
de581b52f3e81b4fec2e23d11b429a1414f2d9affb07aebec6215f74d7cbc805cd5087f282e41c9a6cc0eea0d8aac7a008daa85c9b9a5d58f350edaadb38d6ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
512833573c5d357477b1f0836d9186d1

SHA1
a2c676f0750cf59e513223db9e661020d0140d17

SHA256
b027f97ad449f859f6ea13220c3672144dec4fed78bb61f88c127ba98b43ff03

SHA512
22c1c7779c1d5f9ddd97fb24f8dcc34e53ac2ad219ba5cea96975d8d1e780367e56a044d5408c42af36160d2415d222b05ba60113c8586f89d461c774f80f3f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\64d9314b-6785-45d6-bc3e-fdac5ba90cd5.tmp

Filesize
469B

MD5
56139afe009643874a705b7a2987c4ab

SHA1
25a01016dee92fda35bb964111a73a1d5cea23c3

SHA256
3c4a5c3b45ad5cb6d8bd729fd74d9e0a6d18f020cbdc6fec54cb56b42f7c091d

SHA512
71278c6e9d209c64f3d509937aedb5457dea130234ca25c5ccf3ecba09db47695a3d3759361d9e6f80ac7be23da51d43f8063d384f4298f02cf3cf1ce753f85e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
20KB

MD5
d48514779c0c3584dbc98f2fbb625a2e

SHA1
84f6c6b1441bb59dc7d4dcae27bb4dcc247920ad

SHA256
74cb5f49286067c31b7dca2f35c7bc7c2d9649c03568dc475c99877c2fdf0d5f

SHA512
0934190f6e0024b3cb7c5e95598b8f53de4e9229c31be3c6bcb8638f66634618055ca2e22b7c621d6f0fea260128818d04fe7a33d91cea9d2a3c8553bf74a029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
aa2f0c91eb7c4b71741852739a3a485c

SHA1
52c61f71025b8e0389027d5697cbfdb9875767a6

SHA256
9a2aa327035fa96e4ea73688d73a9e4ea84143051fd86c7bf8e56277801876e0

SHA512
3924817ae6afec99d87acaf4b23300826f4b00c9ac4fd706f9084f6d9c51f71990f63529bf93d528c30351b8156105e81421e8a7fa5c8c70457d8abe89011a6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
3633574b8a6cd91d98fda4b86a9a1839

SHA1
1a19286c3ac17b5ae382b4f1ed84da72fee8df0b

SHA256
3b85264aa7511ee4fed133914952cdd1a4378d85c860b1800fd8984c03b39a3d

SHA512
fd45b4de80d133445720aebd1601b8d7973143f65815d83d06d216d081c91fb26adcfbf9894f30b63619db90797e019dd3a7e21c3d89e9ed7f20f687cdb03acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
60KB

MD5
b7431962e0df402cea5ca2dd2a31ce5f

SHA1
7818438dc88885de4f79404bb4b0f53ba97982ec

SHA256
0d6ccc61ca1b20ced9e6676389644ea589d306607d18355790e46a76f905dd46

SHA512
78065a5486456a2b3a7633de16bb596b19f19e73148f333c44f4fab055a8d2d8688318791d025d70ed4e718e238ad718fd3c43f49c1d6fbe2b5e452ab5216f4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
ddcbd6516dd380c39c1bb585903ec13d

SHA1
08a7dabbe3f9c4c4e7c85719edfd2bef7ace2d46

SHA256
595439f3e247c92b0212bc5fae70d9414939cd0afc39ea77e4b3e79f4621dc89

SHA512
c6412c7704eb99d7acfe30f445fd12d160ea5df192678cb4611e409d99503161285bbbf73396cba0391147cf80e66cd9692eca6f87e79b7598fa0282119c84b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
b6c7895c5e364c9c2c0c05a5f4ad3f22

SHA1
83c544a9c75b2e2fe3354b4bd5e160c14a7d6876

SHA256
8bef097d53c6c6b2df3f08bc1cc35aaa7edda23f340c4a56795c3e8325badf76

SHA512
1fc90e9f27c1bca58ee4fd6b52a548a94e25614146b6204baca70a540aa91456c7f39e48f378b53a7090a9ca33b87bfdb597bddc0f0408615f7c16d8d0b5caae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
20c259234294ebef10dae0744fe22437

SHA1
a2130f5b1f66ec52c8defd4be824e4f5229bd177

SHA256
4d4518304ab18aadbdfe0055d65f0206ab6931205ecc9dcaa72eb10869606809

SHA512
d195a70d4b10d2316560ef2407dd606f77e814bc32c794c7cccdb9793895df5bcabdf09a4bc632c253de5692f888f8f4abf3633b060b1ab74eaa8fcb7c245005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
5af74e66b9442e19720b66bdb3e72390

SHA1
a7f2c3aa4dc31af73a140a9f33e647de3c5b6f7b

SHA256
7d5c8b0ebd163dc287aa5084dcfc18ee144bba32156a9e8449042842a77865fb

SHA512
481d2c22be16e771289652e3b5b57f5a19ae5d3066ae36c4a6f1c5b7c3c37540b97efbe3a576de0fc950c8e77a0b0e808d4b087b9aec72b79ea0f6f887300a65

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
bebfa887791fddf5fbf343a03985d66f

SHA1
6ccb66d7825f0f3d140967987a05257ff1dd4afb

SHA256
28ffa259832b98a5a42b0f8bfc55c8d3c8e72359350e7dbe80d1f5fbc50d99f1

SHA512
0070b56a1483cf56cd08cbfe3fa6cae2545f51e5c04ba72c1fcd7a0505dc39a4ec8c67ee428d745525960d5fb0eed557d377742ad8609651e37884537cea490f

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index~RFe59671d.TMP

Filesize
48B

MD5
cccc31310e648ed9e701451098df1fa6

SHA1
1b22234191f1993bf4a413931e434eac79c1de3e

SHA256
75ed79a91c680bb93f368c7c49b290c6729200bcd1d91c2bdbe9c4d276dbf897

SHA512
fbad02564258effe3dbbde8ab08fcfe52d7b8a14ee55c79a291559e94904f227f8b713801105bc7418a72d70107500dc3e8112c00b21430aa22866c4d6e79758

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
300B

MD5
705d2170cad135164d0f8f50b48bed5b

SHA1
69a8dd3011df950e3882913ab65093a0f8e9cdee

SHA256
6ba3ffc7b59dd04c5e4bdfb3a6ab31f515f49d1fe888f85277f8376e35c759ca

SHA512
f83f309b4252ab619a932dc2f361db11523c1e6edd4d40d64d82c45375408cf419626afb3efa6635e4d0f1aa0566764bdb65cab4fd4138a520fa282c607767b9

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe59672c.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_ctypes.pyd

Filesize
122KB

MD5
fb454c5e74582a805bc5e9f3da8edc7b

SHA1
782c3fa39393112275120eaf62fc6579c36b5cf8

SHA256
74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1

SHA512
727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_decimal.pyd

Filesize
251KB

MD5
492c0c36d8ed1b6ca2117869a09214da

SHA1
b741cae3e2c9954e726890292fa35034509ef0f6

SHA256
b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

SHA512
b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_hashlib.pyd

Filesize
64KB

MD5
da02cefd8151ecb83f697e3bd5280775

SHA1
1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

SHA256
fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

SHA512
a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
07ebe4d5cef3301ccf07430f4c3e32d8

SHA1
3b878b2b2720915773f16dba6d493dab0680ac5f

SHA256
8f8b79150e850acc92fd6aab614f6e3759bea875134a62087d5dd65581e3001f

SHA512
6c7e4df62ebae9934b698f231cf51f54743cf3303cd758573d00f872b8ecc2af1f556b094503aae91100189c0d0a93eaf1b7cafec677f384a1d7b4fda2eee598

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
557405c47613de66b111d0e2b01f2fdb

SHA1
de116ed5de1ffaa900732709e5e4eef921ead63c

SHA256
913eaaa7997a6aee53574cffb83f9c9c1700b1d8b46744a5e12d76a1e53376fd

SHA512
c2b326f555b2b7acb7849402ac85922880105857c616ef98f7fb4bbbdc2cd7f2af010f4a747875646fcc272ab8aa4ce290b6e09a9896ce1587e638502bd4befb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
624401f31a706b1ae2245eb19264dc7f

SHA1
8d9def3750c18ddfc044d5568e3406d5d0fb9285

SHA256
58a8d69df60ecbee776cd9a74b2a32b14bf2b0bd92d527ec5f19502a0d3eb8e9

SHA512
3353734b556d6eebc57734827450ce3b34d010e0c033e95a6e60800c0fda79a1958ebf9053f12054026525d95d24eec541633186f00f162475cec19f07a0d817

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
2db5666d3600a4abce86be0099c6b881

SHA1
63d5dda4cec0076884bc678c691bdd2a4fa1d906

SHA256
46079c0a1b660fc187aafd760707f369d0b60d424d878c57685545a3fce95819

SHA512
7c6e1e022db4217a85a4012c8e4daee0a0f987e4fba8a4c952424ef28e250bac38b088c242d72b4641157b7cc882161aefa177765a2e23afcdc627188a084345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
0f7d418c05128246afa335a1fb400cb9

SHA1
f6313e371ed5a1dffe35815cc5d25981184d0368

SHA256
5c9bc70586ad538b0df1fcf5d6f1f3527450ae16935aa34bd7eb494b4f1b2db9

SHA512
7555d9d3311c8622df6782748c2186a3738c4807fc58df2f75e539729fc4069db23739f391950303f12e0d25df9f065b4c52e13b2ebb6d417ca4c12cfdeca631

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
5a72a803df2b425d5aaff21f0f064011

SHA1
4b31963d981c07a7ab2a0d1a706067c539c55ec5

SHA256
629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086

SHA512
bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
721b60b85094851c06d572f0bd5d88cd

SHA1
4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7

SHA256
dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf

SHA512
430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
d1df480505f2d23c0b5c53df2e0e2a1a

SHA1
207db9568afd273e864b05c87282987e7e81d0ba

SHA256
0b3dfb8554ead94d5da7859a12db353942406f9d1dfe3fac3d48663c233ea99d

SHA512
f14239420f5dd84a15ff5fca2fad81d0aa9280c566fa581122a018e10ebdf308ac0bf1d3fcfc08634c1058c395c767130c5abca55540295c68df24ffd931ca0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
73433ebfc9a47ed16ea544ddd308eaf8

SHA1
ac1da1378dd79762c6619c9a63fd1ebe4d360c6f

SHA256
c43075b1d2386a8a262de628c93a65350e52eae82582b27f879708364b978e29

SHA512
1c28cc0d3d02d4c308a86e9d0bc2da88333dfa8c92305ec706f3e389f7bb6d15053040afd1c4f0aa3383f3549495343a537d09fe882db6ed12b7507115e5a263

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
7c7b61ffa29209b13d2506418746780b

SHA1
08f3a819b5229734d98d58291be4bfa0bec8f761

SHA256
c23fe8d5c3ca89189d11ec8df983cc144d168cb54d9eab5d9532767bcb2f1fa3

SHA512
6e5e3485d980e7e2824665cbfe4f1619b3e61ce3bcbf103979532e2b1c3d22c89f65bcfbddbb5fe88cddd096f8fd72d498e8ee35c3c2307bacecc6debbc1c97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
6d0550d3a64bd3fd1d1b739133efb133

SHA1
c7596fde7ea1c676f0cc679ced8ba810d15a4afe

SHA256
f320f9c0463de641b396ce7561af995de32211e144407828b117088cf289df91

SHA512
5da9d490ef54a1129c94ce51349399b9012fc0d4b575ae6c9f1bafcfcf7f65266f797c539489f882d4ad924c94428b72f5137009a851ecb541fe7fb9de12feb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
1ed0b196ab58edb58fcf84e1739c63ce

SHA1
ac7d6c77629bdee1df7e380cc9559e09d51d75b7

SHA256
8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2

SHA512
e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
721baea26a27134792c5ccc613f212b2

SHA1
2a27dcd2436df656a8264a949d9ce00eab4e35e8

SHA256
5d9767d8cca0fbfd5801bff2e0c2adddd1baaaa8175543625609abce1a9257bd

SHA512
9fd6058407aa95058ed2fda9d391b7a35fa99395ec719b83c5116e91c9b448a6d853ecc731d0bdf448d1436382eecc1fa9101f73fa242d826cc13c4fd881d9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
b3f887142f40cb176b59e58458f8c46d

SHA1
a05948aba6f58eb99bbac54fa3ed0338d40cbfad

SHA256
8e015cdf2561450ed9a0773be1159463163c19eab2b6976155117d16c36519da

SHA512
7b762319ec58e3fcb84b215ae142699b766fa9d5a26e1a727572ee6ed4f5d19c859efb568c0268846b4aa5506422d6dd9b4854da2c9b419bfec754f547203f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
89f35cb1212a1fd8fbe960795c92d6e8

SHA1
061ae273a75324885dd098ee1ff4246a97e1e60c

SHA256
058eb7ce88c22d2ff7d3e61e6593ca4e3d6df449f984bf251d9432665e1517d1

SHA512
f9e81f1feab1535128b16e9ff389bd3daaab8d1dabf64270f9e563be9d370c023de5d5306dd0de6d27a5a099e7c073d17499442f058ec1d20b9d37f56bcfe6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
0c933a4b3c2fcf1f805edd849428c732

SHA1
b8b19318dbb1d2b7d262527abd1468d099de3fb6

SHA256
a5b733e3dce21ab62bd4010f151b3578c6f1246da4a96d51ac60817865648dd3

SHA512
b25ed54345a5b14e06aa9dadd07b465c14c23225023d7225e04fbd8a439e184a7d43ab40df80e3f8a3c0f2d5c7a79b402ddc6b9093d0d798e612f4406284e39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
7e8b61d27a9d04e28d4dae0bfa0902ed

SHA1
861a7b31022915f26fb49c79ac357c65782c9f4b

SHA256
1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c

SHA512
1c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-profile-l1-1-0.dll

Filesize
11KB

MD5
8d12ffd920314b71f2c32614cc124fec

SHA1
251a98f2c75c2e25ffd0580f90657a3ea7895f30

SHA256
e63550608dd58040304ea85367e9e0722038ba8e7dc7bf9d91c4d84f0ec65887

SHA512
5084c739d7de465a9a78bcdbb8a3bd063b84a68dcfd3c9ef1bfa224c1cc06580e2a2523fd4696cfc48e9fd068a2c44dbc794dd9bdb43dc74b4e854c82ecd3ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
11KB

MD5
9fa3fc24186d912b0694a572847d6d74

SHA1
93184e00cbddacab7f2ad78447d0eac1b764114d

SHA256
91508ab353b90b30ff2551020e9755d7ab0e860308f16c2f6417dfb2e9a75014

SHA512
95ad31c9082f57ea57f5b4c605331fcad62735a1862afb01ef8a67fea4e450154c1ae0c411cf3ac5b9cd35741f8100409cc1910f69c1b2d807d252389812f594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
c9cbad5632d4d42a1bc25ccfa8833601

SHA1
09f37353a89f1bfe49f7508559da2922b8efeb05

SHA256
f3a7a9c98ebe915b1b57c16e27fffd4ddf31a82f0f21c06fe292878e48f5883e

SHA512
2412e0affdc6db069de7bd9666b7baa1cd76aa8d976c9649a4c2f1ffce27f8269c9b02da5fd486ec86b54231b1a5ebf6a1c72790815b7c253fee1f211086892f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
4ccde2d1681217e282996e27f3d9ed2e

SHA1
8eda134b0294ed35e4bbac4911da620301a3f34d

SHA256
d6708d1254ed88a948871771d6d1296945e1aa3aeb7e33e16cc378f396c61045

SHA512
93fe6ae9a947ac88cc5ed78996e555700340e110d12b2651f11956db7cee66322c269717d31fccb31744f4c572a455b156b368f08b70eda9effec6de01dbab23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
e86cfc5e1147c25972a5eefed7be989f

SHA1
0075091c0b1f2809393c5b8b5921586bdd389b29

SHA256
72c639d1afda32a65143bcbe016fe5d8b46d17924f5f5190eb04efe954c1199a

SHA512
ea58a8d5aa587b7f5bde74b4d394921902412617100ed161a7e0bef6b3c91c5dae657065ea7805a152dd76992997017e070f5415ef120812b0d61a401aa8c110

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
206adcb409a1c9a026f7afdfc2933202

SHA1
bb67e1232a536a4d1ae63370bd1a9b5431335e77

SHA256
76d8e4ed946deefeefa0d0012c276f0b61f3d1c84af00533f4931546cbb2f99e

SHA512
727aa0c4cd1a0b7e2affdced5da3a0e898e9bae3c731ff804406ad13864cee2b27e5baac653bab9a0d2d961489915d4fcad18557d4383ecb0a066902276955a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
91a2ae3c4eb79cf748e15a58108409ad

SHA1
d402b9df99723ea26a141bfc640d78eaf0b0111b

SHA256
b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34

SHA512
8527af610c1e2101b6f336a142b1a85ac9c19bb3af4ad4a245cfb6fd602dc185da0f7803358067099475102f3a8f10a834dc75b56d3e6ded2ed833c00ad217ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
1e4c4c8e643de249401e954488744997

SHA1
db1c4c0fc907100f204b21474e8cd2db0135bc61

SHA256
f28a8fe2cd7e8e00b6d2ec273c16db6e6eea9b6b16f7f69887154b6228af981e

SHA512
ef8411fd321c0e363c2e5742312cc566e616d4b0a65eff4fb6f1b22fdbea3410e1d75b99e889939ff70ad4629c84cedc88f6794896428c5f0355143443fdc3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
fa770bcd70208a479bde8086d02c22da

SHA1
28ee5f3ce3732a55ca60aee781212f117c6f3b26

SHA256
e677497c1baefffb33a17d22a99b76b7fa7ae7a0c84e12fda27d9be5c3d104cf

SHA512
f8d81e350cebdba5afb579a072bad7986691e9f3d4c9febca8756b807301782ee6eb5ba16b045cfa29b6e4f4696e0554c718d36d4e64431f46d1e4b1f42dc2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
4ec4790281017e616af632da1dc624e1

SHA1
342b15c5d3e34ab4ac0b9904b95d0d5b074447b7

SHA256
5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639

SHA512
80c4e20d37eff29c7577b2d0ed67539a9c2c228edb48ab05d72648a6ed38f5ff537715c130342beb0e3ef16eb11179b9b484303354a026bda3a86d5414d24e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
7a859e91fdcf78a584ac93aa85371bc9

SHA1
1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7

SHA256
b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607

SHA512
a368f21eca765afca86e03d59cf953500770f4a5bff8b86b2ac53f1b5174c627e061ce9a1f781dc56506774e0d0b09725e9698d4dc2d3a59e93da7ef3d900887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
972544ade7e32bfdeb28b39bc734cdee

SHA1
87816f4afabbdec0ec2cfeb417748398505c5aa9

SHA256
7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86

SHA512
5e1131b405e0c7a255b1c51073aff99e2d5c0d28fd3e55cabc04d463758a575a954008ea1ba5b4e2b345b49af448b93ad21dfc4a01573b3cb6e7256d9ecceef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8906279245f7385b189a6b0b67df2d7c

SHA1
fcf03d9043a2daafe8e28dee0b130513677227e4

SHA256
f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f

SHA512
67cac89ae58cc715976107f3bdf279b1e78945afd07e6f657e076d78e92ee1a98e3e7b8feae295af5ce35e00c804f3f53a890895badb1eed32377d85c21672b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
dd8176e132eedea3322443046ac35ca2

SHA1
d13587c7cc52b2c6fbcaa548c8ed2c771a260769

SHA256
2eb96422375f1a7b687115b132a4005d2e7d3d5dc091fb0eb22a6471e712848e

SHA512
77cb8c44c8cc8dd29997fba4424407579ac91176482db3cf7bc37e1f9f6aa4c4f5ba14862d2f3a9c05d1fdd7ca5a043b5f566bd0e9a9e1ed837da9c11803b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
a6a3d6d11d623e16866f38185853facd

SHA1
fbeadd1e9016908ecce5753de1d435d6fcf3d0b5

SHA256
a768339f0b03674735404248a039ec8591fcba6ff61a3c6812414537badd23b0

SHA512
abbf32ceb35e5ec6c1562f9f3b2652b96b7dbd97bfc08d918f987c0ec0503e8390dd697476b2a2389f0172cd8cf16029fd2ec5f32a9ba3688bf2ebeefb081b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
074b81a625fb68159431bb556d28fab5

SHA1
20f8ead66d548cfa861bc366bb1250ced165be24

SHA256
3af38920e767bd9ebc08f88eaf2d08c748a267c7ec60eab41c49b3f282a4cf65

SHA512
36388c3effa0d94cf626decaa1da427801cc5607a2106abdadf92252c6f6fd2ce5bf0802f5d0a4245a1ffdb4481464c99d60510cf95e83ebaf17bd3d6acbc3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
f1a23c251fcbb7041496352ec9bcffbe

SHA1
be4a00642ec82465bc7b3d0cc07d4e8df72094e8

SHA256
d899c2f061952b3b97ab9cdbca2450290b0f005909ddd243ed0f4c511d32c198

SHA512
31f8c5cd3b6e153073e2e2edf0ca8072d0f787784f1611a57219349c1d57d6798a3adbd6942b0f16cef781634dd8691a5ec0b506df21b24cb70aee5523a03fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
55b2eb7f17f82b2096e94bca9d2db901

SHA1
44d85f1b1134ee7a609165e9c142188c0f0b17e0

SHA256
f9d3f380023a4c45e74170fe69b32bca506ee1e1fbe670d965d5b50c616da0cb

SHA512
0cf0770f5965a83f546253decfa967d8f85c340b5f6ea220d3caa14245f3cdb37c53bf8d3da6c35297b22a3fa88e7621202634f6b3649d7d9c166a221d3456a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
9b79965f06fd756a5efde11e8d373108

SHA1
3b9de8bf6b912f19f7742ad34a875cbe2b5ffa50

SHA256
1a916c0db285deb02c0b9df4d08dad5ea95700a6a812ea067bd637a91101a9f6

SHA512
7d4155c00d65c3554e90575178a80d20dc7c80d543c4b5c4c3f508f0811482515638fe513e291b82f958b4d7a63c9876be4e368557b07ff062961197ed4286fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
1d48a3189a55b632798f0e859628b0fb

SHA1
61569a8e4f37adc353986d83efc90dc043cdc673

SHA256
b56bc94e8539603dd2f0fea2f25efd17966315067442507db4bffafcbc2955b0

SHA512
47f329102b703bfbb1ebaeb5203d1c8404a0c912019193c93d150a95bb0c5ba8dc101ac56d3283285f9f91239fc64a66a5357afe428a919b0be7194bada1f64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
dbc27d384679916ba76316fb5e972ea6

SHA1
fb9f021f2220c852f6ff4ea94e8577368f0616a4

SHA256
dd14133adf5c534539298422f6c4b52739f80aca8c5a85ca8c966dea9964ceb1

SHA512
cc0d8c56749ccb9d007b6d3f5c4a8f1d4e368bb81446ebcd7cc7b40399bbd56d0acaba588ca172ecb7472a8cbddbd4c366ffa38094a832f6d7e343b813ba565e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\base_library.zip

Filesize
1.1MB

MD5
b8b34eeccdebb3b5991e98610a1c793b

SHA1
0d615e4bb29c1b23bb2b586c203cf57b23851d09

SHA256
6679d2be39037097498c7214309940485d6ea8d97cb1544d2c1d1095af37f107

SHA512
fc36ec7e0d9434520973137c146114c1b1f91dcc5b24bbaa13dc8296eff411f5a524637dc26123c85650d5fcfae870da32eff46f8a7751e4cf2f8b522fa77ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48562\unicodedata.pyd

Filesize
1.1MB

MD5
cc8142bedafdfaa50b26c6d07755c7a6

SHA1
0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

SHA256
bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

SHA512
c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk2C5C.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk2C5C.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk2C5C.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk2C5C.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Roaming\Stool\legit

Filesize
7.8MB

MD5
5c089f62808b417270afee507a1c4ef7

SHA1
fb41d9f36717df98ea3993188736d6e9e7db033b

SHA256
91ff7965a9691a6d779ac42cdfb51eb35cd02865fef06a590dd93fd0de279270

SHA512
df301dfb31a4836266fe2f668207384310aa304046d9e718db7b43eb145ee91b0e9fee553ae315f70218fdec37f386d451591ba2fe952dfc63f8563951fe094f

Download Submit
memory/3216-12736-0x0000000000E20000-0x00000000012D2000-memory.dmp

Filesize
4.7MB

Download
memory/3216-12730-0x0000000000E20000-0x00000000012D2000-memory.dmp

Filesize
4.7MB

Download
memory/16472-13198-0x000000006EC40000-0x0000000070002000-memory.dmp

Filesize
19.8MB

Download
memory/16472-13129-0x000000006EC40000-0x0000000070002000-memory.dmp

Filesize
19.8MB

Download
memory/16568-8907-0x0000020A10C10000-0x0000020A10C11000-memory.dmp

Filesize
4KB

Download
memory/16568-8908-0x0000020A10C10000-0x0000020A10C11000-memory.dmp

Filesize
4KB

Download
memory/16568-8904-0x0000020A10C10000-0x0000020A10C11000-memory.dmp

Filesize
4KB

Download
memory/16568-8889-0x0000020A10C10000-0x0000020A10C11000-memory.dmp

Filesize
4KB

Download
memory/16568-8906-0x0000020A10C10000-0x0000020A10C11000-memory.dmp

Filesize
4KB

Download
memory/16568-8890-0x0000020A10C10000-0x0000020A10C11000-memory.dmp

Filesize
4KB

Download
memory/16568-8905-0x0000020A10C10000-0x0000020A10C11000-memory.dmp

Filesize
4KB

Download
memory/16568-8903-0x0000020A10C10000-0x0000020A10C11000-memory.dmp

Filesize
4KB

Download
memory/16568-8888-0x0000020A10C10000-0x0000020A10C11000-memory.dmp

Filesize
4KB

Download
memory/16568-8909-0x0000020A10C10000-0x0000020A10C11000-memory.dmp

Filesize
4KB

Download
memory/16604-13130-0x000001F73AC10000-0x000001F73AC65000-memory.dmp

Filesize
340KB

Download
memory/16604-13361-0x000001F73AC10000-0x000001F73AC65000-memory.dmp

Filesize
340KB

Download
memory/17204-13135-0x000001FE23E30000-0x000001FE23EE0000-memory.dmp

Filesize
704KB

Download
memory/17204-12779-0x00007FF8D8B40000-0x00007FF8D8B41000-memory.dmp

Filesize
4KB

Download
memory/17204-13136-0x000001FE24030000-0x000001FE240D0000-memory.dmp

Filesize
640KB

Download
memory/17204-12778-0x00007FF8D93E0000-0x00007FF8D93E1000-memory.dmp

Filesize
4KB

Download
memory/17324-13203-0x000002D47D900000-0x000002D47D9A0000-memory.dmp

Filesize
640KB

Download
memory/17324-13202-0x000002D47D850000-0x000002D47D900000-memory.dmp

Filesize
704KB

Download
memory/20420-13369-0x000000000CA90000-0x000000000D5A2000-memory.dmp

Filesize
11.1MB

Download
memory/20420-13479-0x000000000CA90000-0x000000000D5A2000-memory.dmp

Filesize
11.1MB

Download
memory/20420-13371-0x000000000CA90000-0x000000000D5A2000-memory.dmp

Filesize
11.1MB

Download
memory/20420-13375-0x0000000007C50000-0x0000000007C76000-memory.dmp

Filesize
152KB

Download
memory/20420-13376-0x000000000CA90000-0x000000000D5A2000-memory.dmp

Filesize
11.1MB

Download
memory/20420-13378-0x000000000CA90000-0x000000000D5A2000-memory.dmp

Filesize
11.1MB

Download
memory/20420-13374-0x000000000CA90000-0x000000000D5A2000-memory.dmp

Filesize
11.1MB

Download
memory/20420-13367-0x0000000007C50000-0x0000000007C76000-memory.dmp

Filesize
152KB

Download
memory/20420-13382-0x000000000CA90000-0x000000000D5A2000-memory.dmp

Filesize
11.1MB

Download
memory/20420-13462-0x000000000CA90000-0x000000000D5A2000-memory.dmp

Filesize
11.1MB

Download
memory/20420-13477-0x000000000CA90000-0x000000000D5A2000-memory.dmp

Filesize
11.1MB

Download
memory/20420-13368-0x0000000007C50000-0x0000000007C76000-memory.dmp

Filesize
152KB

Download
memory/20420-13480-0x000000000CA90000-0x000000000D5A2000-memory.dmp

Filesize
11.1MB

Download
memory/20420-13481-0x000000000CA90000-0x000000000D5A2000-memory.dmp

Filesize
11.1MB

Download
memory/20420-13500-0x000000006E5C0000-0x000000006F982000-memory.dmp

Filesize
19.8MB

Download
memory/20420-13364-0x0000000010000000-0x000000001009D000-memory.dmp

Filesize
628KB

Download
memory/21352-13528-0x0000029CE6840000-0x0000029CE6895000-memory.dmp

Filesize
340KB

Download
memory/21600-13530-0x000001BD45410000-0x000001BD454B0000-memory.dmp

Filesize
640KB

Download
memory/21600-13529-0x000001BD45360000-0x000001BD45410000-memory.dmp

Filesize
704KB

Download
memory/21692-13531-0x000001E215EC0000-0x000001E215F70000-memory.dmp

Filesize
704KB

Download
memory/21692-13532-0x000001E2160D0000-0x000001E216170000-memory.dmp

Filesize
640KB

Download