d8978d708c48eaf3f601f2f3be4dee6acd8dc785ad38bc9f90f8405a49f889a4

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2025, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fancyflopball/_TexturesPackage.json
Size

115B
MD5

8fa54a63933d04868500b1106319032d
SHA1

970410608f00f34ca9e2b8aa2e8c6de41a5866a7
SHA256

e426f6653ec3c4cd1f765eca1d39584a2c88278073492aa06693f682e124a575
SHA512

d787cd92599d8d5380470211e9b743478f96ef7b4a0dffecc3a68a74785dd8eeb2201981e6a20a832b0a93211f3d263cc7fc03738696313404067077ecb170d8

Score

8^/10

steam defense_evasion discovery phishing

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
65	2196	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
4532	SteamSetup.exe

Loads dropped DLL 3 IoCs

pid	Process
4532	SteamSetup.exe
4532	SteamSetup.exe
4532	SteamSetup.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe

Detected potential entity reuse from brand STEAM. 1 IoCs

phishing steam

flow	pid	Process
49	2196	chrome.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5596	4152	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133893683252801035"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\json_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\json_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\json_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\.json\ = "json_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\\ = "json_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\json_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\json_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\.json	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\捩鼭缀耀	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\捩鼭缀耀\ = "json_auto_file"	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5084	vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2004	OpenWith.exe
4648	msinfo32.exe
5084	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5376	firefox.exe
Token: SeDebugPrivilege	5376	firefox.exe
Token: SeShutdownPrivilege	4152	wmplayer.exe
Token: SeCreatePagefilePrivilege	4152	wmplayer.exe
Token: SeShutdownPrivilege	1444	unregmp2.exe
Token: SeCreatePagefilePrivilege	1444	unregmp2.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeCreatePagefilePrivilege	2828	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
4152	wmplayer.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
5084	vlc.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
2004	OpenWith.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5084	vlc.exe
4532	SteamSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 3136	2004	OpenWith.exe	80
PID 2004 wrote to memory of 3136	2004	OpenWith.exe	80
PID 3136 wrote to memory of 5376	3136	firefox.exe	83
PID 3136 wrote to memory of 5376	3136	firefox.exe	83
PID 3136 wrote to memory of 5376	3136	firefox.exe	83
PID 3136 wrote to memory of 5376	3136	firefox.exe	83
PID 3136 wrote to memory of 5376	3136	firefox.exe	83
PID 3136 wrote to memory of 5376	3136	firefox.exe	83
PID 3136 wrote to memory of 5376	3136	firefox.exe	83
PID 3136 wrote to memory of 5376	3136	firefox.exe	83
PID 3136 wrote to memory of 5376	3136	firefox.exe	83
PID 3136 wrote to memory of 5376	3136	firefox.exe	83
PID 3136 wrote to memory of 5376	3136	firefox.exe	83
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 3292	5376	firefox.exe	84
PID 5376 wrote to memory of 8	5376	firefox.exe	86
PID 5376 wrote to memory of 8	5376	firefox.exe	86
PID 5376 wrote to memory of 8	5376	firefox.exe	86
PID 5376 wrote to memory of 8	5376	firefox.exe	86
PID 5376 wrote to memory of 8	5376	firefox.exe	86
PID 5376 wrote to memory of 8	5376	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\fancyflopball\_TexturesPackage.json
1⤵
- Modifies registry class
PID:2496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\fancyflopball\_TexturesPackage.json"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\fancyflopball\_TexturesPackage.json
    3⤵
    - Drops desktop.ini file(s)
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5376
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1988 -prefsLen 27097 -prefMapHandle 1992 -prefMapSize 270279 -ipcHandle 2064 -initialChannelId {1e66689e-7696-479f-97ab-81ba05269a81} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
      4⤵
      PID:3292
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2428 -prefsLen 27133 -prefMapHandle 2432 -prefMapSize 270279 -ipcHandle 2440 -initialChannelId {e5077dd0-6590-44fa-aa0d-539c9c6f8337} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
      4⤵
      Checks processor information in registry
      PID:8
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3840 -prefsLen 27323 -prefMapHandle 3844 -prefMapSize 270279 -jsInitHandle 3848 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3856 -initialChannelId {4cea218f-7f5b-42b2-b4c9-e3af63c25519} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
      4⤵
      Checks processor information in registry
      PID:3520
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4004 -prefsLen 27323 -prefMapHandle 4008 -prefMapSize 270279 -ipcHandle 4076 -initialChannelId {85f7da29-483a-45ba-aa48-c9358fd4bf71} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
      4⤵
      PID:3412
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4668 -prefsLen 34876 -prefMapHandle 4676 -prefMapSize 270279 -jsInitHandle 4664 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4680 -initialChannelId {5f58d28b-2c7c-4aa6-b16d-41087452ebdf} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
      4⤵
      Checks processor information in registry
      PID:1436
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5172 -prefsLen 35010 -prefMapHandle 5176 -prefMapSize 270279 -ipcHandle 5184 -initialChannelId {ec073955-a85c-4758-9bfa-ae456f84df4c} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
      4⤵
      Checks processor information in registry
      PID:5564
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2852 -prefsLen 32952 -prefMapHandle 3336 -prefMapSize 270279 -jsInitHandle 2884 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3188 -initialChannelId {93bd4666-c2e3-42e4-b48a-a7f5f3498182} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
      4⤵
      Checks processor information in registry
      PID:1900
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2628 -prefsLen 32952 -prefMapHandle 3344 -prefMapSize 270279 -jsInitHandle 2632 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5664 -initialChannelId {ac194688-4640-4111-832f-1de4fd1a1cc9} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
      4⤵
      Checks processor information in registry
      PID:2496
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5724 -prefsLen 32952 -prefMapHandle 5728 -prefMapSize 270279 -jsInitHandle 5732 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5740 -initialChannelId {7cff6b1e-32e6-4925-9128-68eff202c54c} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
      4⤵
      Checks processor information in registry
      PID:5952

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4152
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2168
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1152
  2⤵
  - Program crash
  PID:5596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4152 -ip 4152
1⤵
PID:4196

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\CompleteOut.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:4648

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StopOut.mpa"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd79f6dcf8,0x7ffd79f6dd04,0x7ffd79f6dd10
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1840,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1440,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2244 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  - Detected potential entity reuse from brand STEAM.
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2376 /prefetch:13
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3336,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3428,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4188,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4200 /prefetch:9
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4696,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5288,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5300 /prefetch:14
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5528,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5536 /prefetch:14
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5592,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3512 /prefetch:14
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3480,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3604 /prefetch:14
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3452,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3640 /prefetch:14
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3676,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4668,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3624,i,10931375903688629861,5132584024895457265,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4676 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5116

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4816

C:\Users\Admin\Downloads\SteamSetup.exe
"C:\Users\Admin\Downloads\SteamSetup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4532

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1346a19c-9042-4ac3-a771-8fa49f98b379.tmp

Filesize
152KB

MD5
5eebc9f27fe1c34535de9d9dab4fc370

SHA1
505556436be610c49186370405ee857ba17a9095

SHA256
10efbbc57b2e81dec961736d085356c163a7cdae4a370053243ae533b5dc215c

SHA512
fc8382bd099e0889d74582a90f2820776a818ce17a9c602cc270f560c424576ad52aa738fa94a8a46095d77e3303515efbc7a9ee4ba26f511f440f01fc94a8aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
bc39ef2353690e4a80886866ceffa38d

SHA1
74da1f0f1bb3718eafed552aa8e47c20f571ad6d

SHA256
ee625e8a2080ad7985e3f6a2a961f131140f39adb8183a3e04aa674e3170ee24

SHA512
97aa9355a09f511a7133d2988c376cbe1b05826b92cca4eee551bf29303a31405c359c3c27b1810c4c2dd0ed967189a2e3793e61e6b1edc2747ed471d9b64e4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
216KB

MD5
50a7159ff34dea151d624f07e6cb1664

SHA1
e13fe30db96dcee328efda5cc78757b6e5b9339c

SHA256
e990d9d31c4c7d57dd4795e43baea05501fb6ea8b7760f89001be660425dd01b

SHA512
a7768dd7e315b07754a305080e0fc023765e5a224b2c3824e8e10f29286df63bbdefef379e069941fd8cd9c7c3befce976779ae2efdfb6e7da697b09d7f07250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
509e00ef90f30d826f7606e38acef7b7

SHA1
c6fc84a39f9aa62a20791eecfef699e7e6c4f361

SHA256
f96b1712ed2517e150e875d4831f81fbb0378ddac35a5f9644c85ce3aa4e6f7d

SHA512
5ea6a7c21d4b32b36504d38b35fc4cae568c78c336e58234277681a49b97afa91c5e48491035dace9841d7529e387472852709e3bf9cd0cc3ccf4760d2f82485

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6cf1eb9f5d104c07804a23cc88a843a7

SHA1
489a8e830a454a3d256b93bcb7b1dd292212622f

SHA256
43e5e0aa0bad8dc254e0d1235eac284fe56270e1a88f69cd1aa671eec324f958

SHA512
5806004c3f29e4da1b11e5e860a22c5ba5dda8f6a12b8813671f585b0961f08c82d55facc7f9a01aa57e7394d0b74742b679953fe6aebb864df98c789d75fee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cb74ef56bee61e219e57c0a6358b80e0

SHA1
26fe3509f3fa0e6d24b4942e830f8f7048b3261a

SHA256
526c0a5aa5c59a36f59a94e791e725313be48201f123abc638ac03c36bad3041

SHA512
9e09cf619d8743202e7e16ff3be284ea35cce7c0123a6b9affc9a623ffcedb7d8d360a2435bfb4159130b45b489909dada1be5922da4c3bace2130b98517f50f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
56f42dbea3bde26337ba8960ab6888be

SHA1
812101b248c16ab2fb7fc87eba5b81f5d3482412

SHA256
98cd7612684ff078be65fac60a21a20c21810817e219b76a5f2c26f03f86f1e2

SHA512
444b528fb955fe350e428c3ccd686c5f451e351d28d346621f8ce1ab26ee72dcb98398c3347e5b650791710967cb07551c07fcbd81ba2b0405bf90066b17414e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
fe64f9fdaee2fd8c8db4334cfab78815

SHA1
ed21d5ea5bad7cabf0ff805191eee6dc5921a303

SHA256
86ed4121b107544c1aac6e2a0dd6addcb9251a26b10ab729af24c387ecbc1785

SHA512
8eef1c49bd684f1e5b9fec223013d72797e4f992ae48472214351c31e0ff6b525d844fa129979f9592c21f5ef1e1234cfd61e4140fdd56824fb3fdb6d8938b13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c5785c6521ebdae5dbd53c0f68ed3655

SHA1
a352e198f2e6b4cb9e23518192dfad74eff1f39d

SHA256
8ec6287c99c44f0072a4378ec2cd618eb60d11b259417b40997878c7ea54ce7a

SHA512
d89dbf2a276e932c6ba5567aa3426992073d7f0dafc90fdb01e7044cc10612e5f1df645cd0dad844b1dbb574e093fe257af6661e01a9df64550d55d0bb539b99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5915c0.TMP

Filesize
48B

MD5
2a5de1849e334046dd239ea4e71ebd00

SHA1
168bc17152c8e83479e680297eb28dcefac3c41e

SHA256
0bc3167ca7b5e7cb539dc7478b990313e5f09733853bb82e4f7f4880300e3326

SHA512
1465e36b8076af591743decd0d366a15813cbdb626928bac83ac21927108acd8a66ca7d92a28bb1a3b82b737a7c24b77f696d992a5d7a03354dff3477166954d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
5c138a4196620114765c028839e3c541

SHA1
a068d033a298e6f6c17180ade50ac09b3743a68c

SHA256
c9a932a6cabd599eec1a750e648ecba79eea4f263073f1ebe4857e888868cbf4

SHA512
e6f21a4ad92404ab14b482e9e62ac573475bf8751feaee30b2fc81803a24fb59d43b3b8e9072e97150af17e68c6bf5b21397a01daa8fb311febae225246919b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
16354030834c3208643d1d1a7ecd7205

SHA1
56ab7167b5735b2c13460041c6ac95aaca65d12e

SHA256
a4fb02335a789ee5e851864ca3b334fa68d9125dd0eded80bc6f6050a257c16b

SHA512
fe5534c873a7d1ba395dc723e91268e785d4bf980cea0d56bb484e5afe6c24ebbbf02c9efae88752a2bfade60f56b5f1e2f8bf4f7262fad8f5f7325ae9c1dd7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
1553f4412f0373d5333a9f12e49e863c

SHA1
c117ef6e8cd55a9bdf974a228bde97aadb440cad

SHA256
ffdb9c3d8773e354d5a048e7b48ab4bf684deef7d72482a1762c437ed23d0c8a

SHA512
ca76ad53c021753f43c166d147f03b873166c63e494f55e20da0077e96fc8dcb48a4012e94b14ae12cce86dfde5901e53ee233ff72b4d68ae7005d0744103ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
4b075a94f6f85fb279d49ee4e29ddc56

SHA1
2313d68e72268ea7d0e3858a87f3c72c239506e5

SHA256
351ca5d78c4491aa5105d2e95605e705bd187bbe1f1487569d7b9657f60b79e3

SHA512
4a2fc5c35b57a34f6c639efd1521c77e6dbad5aad54f7dcc7bf3380fb879e0e06a8df5786e46d2547c0e40701979f59963e44cebb21306963e80b0f7881b13df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\21fnvccy.default-release\activity-stream.discovery_stream.json

Filesize
26KB

MD5
fd4aa5a9e50ef9dadb371dbbdd2d032f

SHA1
c877243e515bf8ec7099ab32db37541406e13d5a

SHA256
f7f314f14dea06e54beec9f8c12f5ad42b4b098cacc0e776b2c9a045eaf2421b

SHA512
cacd212dc61623f7a5c46bc531ed71678c8017fe894bdd7045123f5fd299a83a783a7207ea27fdcb20b068289fdcfd1380bdf126ad3217ea1e738e7b39fc5858

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssAE88.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssAE88.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
6fc16d77ab7ef9805ffdf33c08c58cb1

SHA1
e69762d238e9203bf4f9432d5c0a1e2c041e38bf

SHA256
dbd818735c751895671e551470d6a27d4a189041ac22ea29b0452a1012609935

SHA512
22c5268ce70a849b623d67a2ba2178878bd8667f5f3d722c57685a9689baba11abd8008a8bab703a6aba7a9cc4ed87a66827bca43e9cc4619ad22d574673fd0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
36205cfbff020299d23afd9384bee066

SHA1
bfaacf51fe24ee68801a6e92dc1c2000076802a5

SHA256
be091baa03063f89172babc2886c7d011547c6d5aa85e067212edbdc48314e3f

SHA512
0d0fa07fece0f385aeb6afc4cbfca2b3b672b4dab0ccbde78e742b450bc3c428966d35f0eb03ac51728b719131a7c67acb3a20e6cfb6ba0f92898d8d7d41e120

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
9d64bab1c3fc5433be0bcec16304ae43

SHA1
de63a10c973b0aaae529ec29352c7053ac9039d8

SHA256
4240fc2d9872012db23a1d738ac94a37f7c23b7fb1fa8f55da14bc532ae56a7c

SHA512
30820cb8ef3adfc35d82387c4819135f549891387316115fd0079ea84491b9a3bb20783fae1f602bd2dbbfbc8820a4785ad376b2b691ecb16bb6ab945742a4a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
e49142e9bb478343b5a48459c1430370

SHA1
d80e2c1fd8942d23a35ef376faea81dc5cbc4e11

SHA256
763c34d9ff89171b631bccf531848d3de528800b821e65392724a48860690311

SHA512
c6c7207b3e740d33fabc59e1e220593142d9f742e3555cbe7f7d4ce30d68ad40583665cac2dfb1265a0681fd720833930a5e2064587d42fcba152fa81cb3e9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
28KB

MD5
ebfd3deac5087c8d7c2c240ac901d491

SHA1
40e740b57852035a1a23e65f439bf438daa4fe33

SHA256
7733f1fba517b5173e07d657d29705933d0f0e3fe4fb3be8a4d03ea939c02805

SHA512
8b3e7f0f4719cb026a1b597439bb6867222fd54eba12e1e03f2ed4c5be573267da894833c780c0279ffa805cada48ce5405be29b87204a5c5164af276f312ba1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
3d50d7bd598d737a4d9ed64aa0e96143

SHA1
62491e10aa1e1859b555637f4af28b535e0044a8

SHA256
74ed171d4ad7af0e88c010356623eb3ea5f7c6b322c66e32aaace9c5ac10ee1b

SHA512
d810e3c104daee67350c87eeaf31f8b3d1f0f9544e065e956d7ba3a2f537ee4f8340466b31d1625949341f1d8b002b6d8603a46814ed44db05de7c4d1090eccc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\pending_pings\8c419783-91da-419f-a65c-a500a13a5bcf

Filesize
883B

MD5
1368f3183fb850bee280b73561eeffb0

SHA1
bdff530a29635f7db0691329b5a3b2e8efea1ac5

SHA256
241e74bc1cb9760d2f64ed388fde778cc1c1ee762c926e93986474662cb2e330

SHA512
682458adf974be00d0c9d350a44a7dafe9b90b3c24590cc7d22ebc39b7e46386f6ed630902d33c2387706d93095ee22fcaf25de4c225bc2fdd76e271d1093214

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\pending_pings\a7f45607-947d-443a-aaaa-6922dda69b22

Filesize
16KB

MD5
4173babe17830992be48de38e9903c07

SHA1
8dfff7e06437afa4fb9741382fd92c9037d4221c

SHA256
138b1e50c9e0b046afe0084ced6b0d57e1492e7c066c71228f9e6cdf205c6e8d

SHA512
e103237e837ada0380d22d939999bae334d5e115e3ce0f04666388b51a3e49d36e1b98f723492785a76ae7860bf1d48d3e22c77637d2f1675402576d417bb0fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\pending_pings\b3368666-f8e8-45b1-9b7c-4a91143ff331

Filesize
2KB

MD5
d17c02fd5d1e363975d5467150fdd290

SHA1
06e6ccf3ea9139b8a823fe246575bef44be9f73d

SHA256
b549da092562d88eb73c2fccbd4333f7e7339f4b8b315fee4ba478a287189f39

SHA512
08c52eb77825a25dfe0fcb68004e62e81e2f19bde6011b8eb99f625ad557c2ca5db39fc6984c3492f40999f981b3116bb42e9d90fc41e0dced244f8a1118b376

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\pending_pings\b4e4ac4b-19b0-4661-a924-833eae226c63

Filesize
235B

MD5
54bd09215a56ed02f8ec96ce480d02c7

SHA1
bb0a0b90062c5748f7f684539d4fab8e75728f40

SHA256
0359aecb561dfbaca407249389ec21ad044be0a4cfef8260dacf8f0020169421

SHA512
2a90844a9491a7051620e2392ff1c087db5918f005047109e0064bb1e082b21f832161adeecfd13142fea79873143582ab5ce485d8493fa8afe7a38011491423

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\pending_pings\c408244f-cfc7-464d-ad42-37e546903a96

Filesize
886B

MD5
154bc9fec604f43f66a3c2394f9527f2

SHA1
f45a3deaed49c531aee96c2b785d1358c31d05ae

SHA256
4f6259139fd1d2e47f657528995a0c287d336f06c19937a1419b915888f7f1ac

SHA512
22d86edc55748d6ebb6a320a42fb79da597c1685520d82f2150b424fa332e6f4401a9f7e3ed611cbf7a307944351415e4b408a5b5bebe28fcf407053228d2d98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\pending_pings\e929f004-5fac-4eea-a8d1-3d23fbbc4ee7

Filesize
235B

MD5
bb31574a93d122f99afdac2a34dabb24

SHA1
28e43ad270014617d2ce245b7fd49fdfa3db72e3

SHA256
bb360b9c23b3317d9148fde0b858bc9192d415afe539bf4c05a0fb7d44c764e2

SHA512
1fe54350a07aaf99c386e9149588591699a69a59468203fdc79dbdcef6608f4d959e0a86fa4595f80b36b17b4a72c0d7b9e8f335600b02c1ad5628eb45b5fd5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\prefs.js

Filesize
6KB

MD5
00e44e10c6cd12235641428b450da9ff

SHA1
4b38e6d9542b6e507115b46484266423e256eff0

SHA256
47da4cbeb21c2c471a96f0572c2adae5ab40f1e54b081847b1c7fe62e107bde1

SHA512
2906b36839e24464136256add26bcaf1719439a6a1cff9a0456f15b77d84d381277d40b0d6e987a887a734b320082b6194e8138f97947bd0e3e45410ceca57b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\prefs.js

Filesize
6KB

MD5
0030aa219508ae52d87adaf11c38d544

SHA1
055fc52d9accf7656163dde23a64b2080d1c0723

SHA256
7e2d0fea65530efdd715588684d792ee08dd72b2576bdf0c32ad3f6f2815f2fd

SHA512
f0c782756fa64361e47e46e2a987df52caa954432e01cf73e77630a427936c83db64246bec392ec75f99d984cab5dfeb223641df41f6cc1b7e3fe75b0c7994ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\sessionCheckpoints.json

Filesize
228B

MD5
a0821bc1a142e3b5bca852e1090c9f2c

SHA1
e51beb8731e990129d965ddb60530d198c73825f

SHA256
db037b650f36ff45da5df59bc07b0c5948f9e9b7b148ead4454ab84cb04fd0e2

SHA512
997528e2ecd24a7e697d95cd1a2a7de46a3d80b37fd67fac4fb0da0db756b60a24648b7074255dc38f7651302f70894a53c3d789f3d7cd9f80fb91bd0cade4be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b021714d58b2c6dd1fff1b454a0af061

SHA1
e0bb5dab04b0209f36612d6bade532789aee7139

SHA256
cc691b102ec159dae86c3c3905042071a6d6eda51e99c6dcb59a3c58d189851d

SHA512
ada07956eee388a52f0da5c41cc21fe9150a9e5514919bbe4bba443b524562c561daf83166ad229ca55fdb575ca0729757c88b450cae3f4e394a284d788685f6

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
73B

MD5
6937d108666da513c04d511643fae44d

SHA1
20e186c6969b160547fd85465d6c8d621f5e34b7

SHA256
69c993b2f25c68915be60c7f982a110c44b862ba1414ad10732e2d7ad120f668

SHA512
9735e831a6eb80fce5992edc6a83dfcb712304677305625eba7f74b82d9f199ef59a418cc275aca7e8b69248d9fe317d34debf53f2e7346688a251827d1b7944

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Ya5084

Filesize
72B

MD5
8d08778e8e8e4a0f4ae1770600ed97bd

SHA1
3ab0a9d2f0367ff38afd7c5c7ae3c273194e95cc

SHA256
a6648c58a7ceade5c7ac02c5f4d7282e1ecd62d78debe60112551cdd644abfce

SHA512
022d0311c27e6c3caacaaa123d4b350daf93989ef576bd10219af70fee26095322caf5ca08e40dc54a50c8a10177f8f23a4291238328ba40d588d06e210af89e

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
06282d9e077f2ac6c25d89e0ee304272

SHA1
003c82d39a4fb683c8b52c5b8204217537ab2e99

SHA256
8ef4729b3647d8848b2ceddaa3002ec0b2eafe11147705b4172c31555ae72eb5

SHA512
314522834dd60e07250ed3cb23b432ec0ebb05bdf8c7143dff9d157126fbcaa62cafe6086c626e87de4357063d5e8ee7e263fa67be10aba904430e314bbe2ec0

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 382599.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
memory/5084-534-0x00007FFD8BB90000-0x00007FFD8BBC4000-memory.dmp

Filesize
208KB

Download
memory/5084-533-0x00007FF71D030000-0x00007FF71D128000-memory.dmp

Filesize
992KB

Download
memory/5084-535-0x00007FFD7A620000-0x00007FFD7A8D6000-memory.dmp

Filesize
2.7MB

Download
memory/5084-536-0x00007FFD79130000-0x00007FFD7A1E0000-memory.dmp

Filesize
16.7MB

Download