21be0a068d7d1b57578bfb2ed850b3f3b1cfe4a4c47981ead95abdb8c20278fe

Analysis

max time kernel
150s
max time network
149s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
22-01-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup-v-6dha1qC.exe
Size

704KB
MD5

d1fc9e6d71a4867ab71af5566e525ba0
SHA1

593b10280a926134839feb8e2f9d0da9ee9c0593
SHA256

21be0a068d7d1b57578bfb2ed850b3f3b1cfe4a4c47981ead95abdb8c20278fe
SHA512

c82a23e5e0e3a38e32fc08401890852a71ec90640bbfb944ed7d45812493a53d2be2c0e4373692e52c77d666b8ae72cd0d15c3dc4bc3cc52887ad4589820658d
SSDEEP

12288:iOIVD3gyucpjRKaDPNKT1zH3ptaR1sDfOQSvJqFZ6rOIIzVFA4+M:iOIyyuUjMaDu173pG1szLSvJwSOZBv

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Control Panel\International\Geo\Nation	VLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Control Panel\International\Geo\Nation	VLC.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\NvWinSearchOptimizer.ps1	VLC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\Resources\Scripts	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\locales\en-GB.pak	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\MacOS\applet	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\PkgInfo	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\Elevate.vcproj	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\vk_swiftshader.dll	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\v8_context_snapshot.bin	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\elevate.exe	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\locales\nb.pak	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\resources.pak	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\README.md	Setup-v-6dha1qC.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\NvOptimizerLog\swiftshader	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\LICENSE	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\v8_context_snapshot.bin	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\swiftshader\libGLESv2.dll	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\libgksu2.so.0.0.2	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\index.js	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\package.json	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\Resources\applet.rsrc	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\main.c	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\elevate.exe	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\en-GB.pak	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\es-419.pak	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\locales\ml.pak	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\locales\zh-CN.pak	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\assets\osx.png	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\assets	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\locales\es-419.pak	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\locales\pt-BR.pak	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\sw.pak	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regPutValue.wsf	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\locales\id.pak	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\pt-BR.pak	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\locales\sr.pak	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\.eslintignore	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Info.plist	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\JsonSafeTest.wsf	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources\description.rtfd\TXT.rtf	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\Resources\applet.icns	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\vlc\installer.exe	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\locales\fil.pak	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\libgksu2.so.0	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\index.js	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\snapshot_blob.bin	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\libEGL.dll	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\en-US.pak	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\Elevate.vcxproj	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\vk_swiftshader_icd.json	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\ar.pak	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\es.pak	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\locales\ta.pak	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\locales\te.pak	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\assets\osx.png	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\Info.plist	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\swiftshader\libGLESv2.dll	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\Resources\description.rtfd	Setup-v-6dha1qC.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\bn.pak	Setup-v-6dha1qC.exe
File created	C:\Windows\NvOptimizerLog\locales\el.pak	Setup-v-6dha1qC.exe

Executes dropped EXE 5 IoCs

pid	Process
1960	VLC.exe
4192	VLC.exe
2060	VLC.exe
3400	VLC.exe
376	installer.exe

Loads dropped DLL 21 IoCs

pid	Process
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
1960	VLC.exe
4192	VLC.exe
2060	VLC.exe
3400	VLC.exe
4192	VLC.exe
4192	VLC.exe
4192	VLC.exe
376	installer.exe
376	installer.exe
376	installer.exe
376	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5056	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
500	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133504227885806672"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{B2378F08-4E82-47BC-A18B-5E43709ECCDD} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 86892a61634dda01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = efa4fa4c634dda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "412714158"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8063b152634dda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "412730751"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 80f42dca335bda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = e84fbd52634dda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 36272861634dda01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2113d267634dda01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "412111293"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000e0ec90d12258ffd042e2fa68b5df6310a01386f5d6f3b7f73fdf48d10d795285a89770c3c9771565722319ecff523704dda98b02cd15bf0fadd71615	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2084	Setup-v-6dha1qC.exe
2060	VLC.exe
2060	VLC.exe
3400	VLC.exe
3400	VLC.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
3248	powershell.exe
3248	powershell.exe
3248	powershell.exe
3248	powershell.exe
2824	DllHost.exe
2824	DllHost.exe
2824	DllHost.exe
2824	DllHost.exe
2824	DllHost.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
4548	chrome.exe
4548	chrome.exe
376	installer.exe
376	installer.exe
376	installer.exe
376	installer.exe
376	installer.exe
376	installer.exe
376	installer.exe
376	installer.exe
376	installer.exe
376	installer.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
5224	MicrosoftEdgeCP.exe
5224	MicrosoftEdgeCP.exe
5224	MicrosoftEdgeCP.exe
5224	MicrosoftEdgeCP.exe
5224	MicrosoftEdgeCP.exe
5224	MicrosoftEdgeCP.exe
5224	MicrosoftEdgeCP.exe
5224	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2084	Setup-v-6dha1qC.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeIncreaseQuotaPrivilege	2764	powershell.exe
Token: SeSecurityPrivilege	2764	powershell.exe
Token: SeTakeOwnershipPrivilege	2764	powershell.exe
Token: SeLoadDriverPrivilege	2764	powershell.exe
Token: SeSystemProfilePrivilege	2764	powershell.exe
Token: SeSystemtimePrivilege	2764	powershell.exe
Token: SeProfSingleProcessPrivilege	2764	powershell.exe
Token: SeIncBasePriorityPrivilege	2764	powershell.exe
Token: SeCreatePagefilePrivilege	2764	powershell.exe
Token: SeBackupPrivilege	2764	powershell.exe
Token: SeRestorePrivilege	2764	powershell.exe
Token: SeShutdownPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeSystemEnvironmentPrivilege	2764	powershell.exe
Token: SeRemoteShutdownPrivilege	2764	powershell.exe
Token: SeUndockPrivilege	2764	powershell.exe
Token: SeManageVolumePrivilege	2764	powershell.exe
Token: 33	2764	powershell.exe
Token: 34	2764	powershell.exe
Token: 35	2764	powershell.exe
Token: 36	2764	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeIncreaseQuotaPrivilege	4656	powershell.exe
Token: SeSecurityPrivilege	4656	powershell.exe
Token: SeTakeOwnershipPrivilege	4656	powershell.exe
Token: SeLoadDriverPrivilege	4656	powershell.exe
Token: SeSystemProfilePrivilege	4656	powershell.exe
Token: SeSystemtimePrivilege	4656	powershell.exe
Token: SeProfSingleProcessPrivilege	4656	powershell.exe
Token: SeIncBasePriorityPrivilege	4656	powershell.exe
Token: SeCreatePagefilePrivilege	4656	powershell.exe
Token: SeBackupPrivilege	4656	powershell.exe
Token: SeRestorePrivilege	4656	powershell.exe
Token: SeShutdownPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeSystemEnvironmentPrivilege	4656	powershell.exe
Token: SeRemoteShutdownPrivilege	4656	powershell.exe
Token: SeUndockPrivilege	4656	powershell.exe
Token: SeManageVolumePrivilege	4656	powershell.exe
Token: 33	4656	powershell.exe
Token: 34	4656	powershell.exe
Token: 35	4656	powershell.exe
Token: 36	4656	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeIncreaseQuotaPrivilege	3248	powershell.exe
Token: SeSecurityPrivilege	3248	powershell.exe
Token: SeTakeOwnershipPrivilege	3248	powershell.exe
Token: SeLoadDriverPrivilege	3248	powershell.exe
Token: SeSystemProfilePrivilege	3248	powershell.exe
Token: SeSystemtimePrivilege	3248	powershell.exe
Token: SeProfSingleProcessPrivilege	3248	powershell.exe
Token: SeIncBasePriorityPrivilege	3248	powershell.exe
Token: SeCreatePagefilePrivilege	3248	powershell.exe
Token: SeBackupPrivilege	3248	powershell.exe
Token: SeRestorePrivilege	3248	powershell.exe
Token: SeShutdownPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeSystemEnvironmentPrivilege	3248	powershell.exe
Token: SeRemoteShutdownPrivilege	3248	powershell.exe
Token: SeUndockPrivilege	3248	powershell.exe
Token: SeManageVolumePrivilege	3248	powershell.exe
Token: 33	3248	powershell.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2084	Setup-v-6dha1qC.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1960	VLC.exe
4192	VLC.exe
2060	VLC.exe
376	installer.exe
3400	VLC.exe
1624	MicrosoftEdge.exe
5224	MicrosoftEdgeCP.exe
5304	MicrosoftEdgeCP.exe
5224	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 4192	1960	VLC.exe	78
PID 1960 wrote to memory of 2060	1960	VLC.exe	79
PID 1960 wrote to memory of 2060	1960	VLC.exe	79
PID 1960 wrote to memory of 376	1960	VLC.exe	77
PID 1960 wrote to memory of 376	1960	VLC.exe	77
PID 1960 wrote to memory of 376	1960	VLC.exe	77
PID 1960 wrote to memory of 3400	1960	VLC.exe	80
PID 1960 wrote to memory of 3400	1960	VLC.exe	80
PID 3400 wrote to memory of 4936	3400	VLC.exe	83
PID 3400 wrote to memory of 4936	3400	VLC.exe	83
PID 4936 wrote to memory of 4408	4936	cmd.exe	82
PID 4936 wrote to memory of 4408	4936	cmd.exe	82
PID 3400 wrote to memory of 2764	3400	VLC.exe	85
PID 3400 wrote to memory of 2764	3400	VLC.exe	85
PID 3400 wrote to memory of 4656	3400	VLC.exe	88
PID 3400 wrote to memory of 4656	3400	VLC.exe	88
PID 3400 wrote to memory of 3248	3400	VLC.exe	90
PID 3400 wrote to memory of 3248	3400	VLC.exe	90
PID 3400 wrote to memory of 2300	3400	VLC.exe	99
PID 3400 wrote to memory of 2300	3400	VLC.exe	99
PID 2300 wrote to memory of 5056	2300	cmd.exe	91
PID 2300 wrote to memory of 5056	2300	cmd.exe	91
PID 3400 wrote to memory of 3456	3400	VLC.exe	94
PID 3400 wrote to memory of 3456	3400	VLC.exe	94
PID 3456 wrote to memory of 2824	3456	cmd.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Setup-v-6dha1qC.exe
"C:\Users\Admin\AppData\Local\Temp\Setup-v-6dha1qC.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2084

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\NvOptimizerLog\resources\vlc\installer.exe
  resources/vlc/installer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:376
- C:\Windows\NvOptimizerLog\VLC.exe
  "C:\Windows\NvOptimizerLog\VLC.exe" --type=gpu-process --field-trial-handle=1472,4571652801475849759,9338210499349707055,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1480 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4192
- C:\Windows\NvOptimizerLog\VLC.exe
  "C:\Windows\NvOptimizerLog\VLC.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1472,4571652801475849759,9338210499349707055,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1808 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2060
- C:\Windows\NvOptimizerLog\VLC.exe
  "C:\Windows\NvOptimizerLog\VLC.exe" --type=renderer --field-trial-handle=1472,4571652801475849759,9338210499349707055,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Windows\NvOptimizerLog\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1872 /prefetch:1
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ExecutionPolicy"
    3⤵
    PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 18:49"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "systeminfo"
    3⤵
    PID:3504
- - C:\Windows\system32\cscript.exe
    cscript.exe
    3⤵
    PID:3376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "start chrome "https://mediatrackerr.com/track-install?s=vlc&u=b9992673-4054-424f-b939-b1e991e6dc27&f=Setup-v-6dha1qC.exe""
    3⤵
    PID:4904
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://mediatrackerr.com/track-install?s=vlc&u=b9992673-4054-424f-b939-b1e991e6dc27&f=Setup-v-6dha1qC.exe"
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4548
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2596 --field-trial-handle=2520,i,4436673288724326233,8286451545947993098,131072 /prefetch:1
        5⤵
        
        PID:4124
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1872 --field-trial-handle=2520,i,4436673288724326233,8286451545947993098,131072 /prefetch:8
        5⤵
        
        PID:5020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=2520,i,4436673288724326233,8286451545947993098,131072 /prefetch:8
        5⤵
        
        PID:4232
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=2520,i,4436673288724326233,8286451545947993098,131072 /prefetch:2
        5⤵
        
        PID:4560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2604 --field-trial-handle=2520,i,4436673288724326233,8286451545947993098,131072 /prefetch:1
        5⤵
        
        PID:4916
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4508 --field-trial-handle=2520,i,4436673288724326233,8286451545947993098,131072 /prefetch:1
        5⤵
        
        PID:5500
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=2520,i,4436673288724326233,8286451545947993098,131072 /prefetch:8
        5⤵
        
        PID:5812
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=2520,i,4436673288724326233,8286451545947993098,131072 /prefetch:8
        5⤵
        
        PID:5984
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=2520,i,4436673288724326233,8286451545947993098,131072 /prefetch:8
        5⤵
        
        PID:6064
- - C:\Windows\system32\cscript.exe
    cscript.exe //Nologo resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\NvOptimizer
    3⤵
    PID:1468

C:\Windows\system32\chcp.com
chcp
1⤵
PID:4408

C:\Windows\system32\schtasks.exe
SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 18:49
1⤵
- Creates scheduled task(s)
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted
1⤵
PID:2824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ExecutionPolicy
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Windows\system32\systeminfo.exe
systeminfo
1⤵
- Gathers system information
PID:500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xe8,0xec,0xf0,0xc4,0xf4,0x7ff937739758,0x7ff937739768,0x7ff937739778
1⤵
PID:4132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3552

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3832

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3276

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6044

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
61f6938fa1fa3df1b64463e21464c38e

SHA1
d19ebf8cc5bd41cc7abff3f29ace3a972abc0440

SHA256
9e28253dbd77d12d41292bca06bcf796ce922332804402b4096c6bba940cc0c0

SHA512
9b25fd59c40604cdbe490683dd574b61a515ac79a4648fef478f8bd417e1c2344c7db4fd774d592cbe0ed399a1a646efddd65d4a59121f7cb900810636865e1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f13b2e7afa4c6a624e20d32556e3b835

SHA1
ec41ad5fc11c07f9726bad9d4a3c4f16580013d9

SHA256
3278374cffe71febe7e75e3ce811068a28dd952812620eec7b05daf7f10f1b54

SHA512
27f8cfc9bbc9cfdc9845c37827f6fa657b35a3ba856aecebad2dab42a0712a2b498a1504c508986a048cc8ebe29ce10f15907f3156bb0237db43390a16aa5a7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
25caf774769414cdf0af18eb47bfbf49

SHA1
648429fab59b444e3c59d9c6f47534b17e04a78b

SHA256
99f6856caea3cd9128dc37d321776a723a57b00b79d4b9cc459fd927fe38301f

SHA512
3c98d9dabcb01e77245898e3a9e1dca5ff27f3bf7fa233dea3e56da51fa7082cadf5dc3a4e810747dc68f5ae45cb7a02ea33204deea3ab9266ad1b21b2206fb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
38f24bd63b13aa2d8f762ae1614aa043

SHA1
a63553cdc2e649fe006c7b88d8eaee97c82344d3

SHA256
42ffb0629c7965f54e785dc4025d7095ed6c8e76acfbdc64c6fe631aa1b357a1

SHA512
515fbcf82b4e7aec46401b6647652f55e63dafbe3eeb7e63b4624aa25a7c2f59db322529f6ea36102679a21681029a405260122f3a37bccd4d3f5fe96f948571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
269dadd70bd3195eb88988a64dafe7fb

SHA1
9026cb4ec00bad3995c51050315ce260e0e4d2bf

SHA256
de8404f2a0376adebc0809fa88b224be054c17662c44bdb4936cc56092562a80

SHA512
db84f386516300761213de2efb1330f18ecf35f57e8f33922263f964488b10205f44e18a1dd78c0db82952a1937c36cd5254c1e5f242f42084d6a0be3ddad61e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
3bfae6d7aa1e0acb0c14ad979cd75199

SHA1
75e753e161d067213ce03f62bb5187d751b4ec73

SHA256
25b399c4b29869dc3a6f2159e8557acf4f2c8fd405309abd7a2fe5d3878028b8

SHA512
eb09f6bdacbf43f7831a16ac9f895a42f3275d756c505b41e59cf185afa5225e5621327c83040a0759d65c5532d2df444976cff44f22328cf09e811c6de6e616

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
aa6f221b344de5916baa07c783c21343

SHA1
ccf697f38f93009fa29a519a8b03df6357513332

SHA256
f5ccf7481e11ede99c30150530ba28792c5f5f5d6a60a350d5c5aab3dd564a14

SHA512
0f29d541f528c6a6d92d30a0da51a6322a1679191360d56029b718d613d75e22bd3a6ab190a361f9718d9c71eee7cecf8128300693240d3ccb2f2621cc9019c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cf9af9bef559d7f09ab4d1805a0e5364

SHA1
3886fa673062068621295186805730a7047aa561

SHA256
e6ec63d5bbe5a7ad0b2d7207615e3b37059a2ab173aa00745e9ac5e27ecc6490

SHA512
9047094fb1e91bfbd2df4a8152592524017ada69d70d91f098774f1b7c167d688a3d1de2fc676a5ecb8030684859828231a0076d53cdb31e675a087cafb296cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
8ba289e2e6252ce139ef64f478435e77

SHA1
51cb57823c17b9e0dbad34be9f2f8f9fde382eb6

SHA256
70571042cf68b689492c702e2a632ab1984c93ef07c9d635b74a394691048cd1

SHA512
dd8fdd8971c278513692e7a81d906f3ca3c1983a63a300a80860898b312686ea14baf93229cacf88308751a1921cd225efa9e1bf554e3eee91d8e9355335651d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b519c55a718fb543286b76ed34e1feb9

SHA1
57d0fa202e8e8b9ced4824ab1cf4f8bde86c213b

SHA256
f105342dd5f019ff34a864610c196d155e03f278a25743aa4eda3b2719abbb06

SHA512
e82faf00090f66065f7cf6bd3dd51b528b670d7eee5eafc198d76a24880e98de4fcab8891e5778ccf25245ff47a248bb8a0a4a5a75d8ab6f3a38a2e5bb7bff48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JFN4LWJJ\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
80ef418749393790b80930b9d1b1ed38

SHA1
baae03cf53c24cb4b4e16618f69dd770e75b17f5

SHA256
a9116390b696f61a4e6fb4887cc9e1cd896c2dbdc92693d247ccaa3ee590cfbb

SHA512
935c42409d95d6e35082cdad292e85d938988c5957e05b81c7473ce7b149457b3d47047c1eeba985d4b1f87b240cdb426537989d4dbf2621143c2090df2abcd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
60a07e978cb85c72ca6e28085169bcd5

SHA1
a5bc57a65c93199a60e2229c5e529dcd177027f1

SHA256
5f1d7bb4e76941932d5dbcf2a04fdfdaf558f6942347cd58c260c6148405d446

SHA512
f1ea4d395e8c33414287c77b85e7e7b9628a2fac41cab8e006dc84fe9d0951ec05876e7d463d14674f6da93c0101665f46b13480636b46a3625e97a25e6ae1ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
84a6ef76adbafd4e60ef423853db0d1a

SHA1
260eb3d7475cd42c2f564932796e3a154eb10bba

SHA256
a93a72f4bc34d645c3ef25562a1452f11723674c67678f70b6c1da19e126f220

SHA512
aea4af386d5f6701f0418e6886e068220dfbd1b11e7f4ecfde0c41492693bd01a295c9e1159310bc1114db8830d1cc096f267bdd5bd933cc6bd89f72a8ee2a55

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\4CXU3079\favicon[1].ico

Filesize
758B

MD5
84cc977d0eb148166481b01d8418e375

SHA1
00e2461bcd67d7ba511db230415000aefbd30d2d

SHA256
bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c

SHA512
f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\8UR1N0IB\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\SRMBH164\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\WM2E80CM\favicon[2].png

Filesize
7KB

MD5
9e3fe8db4c9f34d785a3064c7123a480

SHA1
0f77f9aa982c19665c642fa9b56b9b20c44983b6

SHA256
4d755ac02a070a1b4bb1b6f1c88ab493440109a8ac1e314aaced92f94cdc98e9

SHA512
20d8b416bd34f3d80a77305c6fcd597e9c2d92ab1db3f46ec5ac84f5cc6fb55dfcdccd03ffdc5d5de146d0add6d19064662ac3c83a852f3be8b8f650998828d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_05s2y2ez.yyx.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm70AD.tmp\package.7z

Filesize
10.3MB

MD5
74f423664fc57c74eed82636d65fd51b

SHA1
69a4ca14a53b7dbf599b32825a82a30d822d8dc9

SHA256
51098ca81c1cb1fe2f81df699a42f003aabfcbda83caee0a306eb517269ea008

SHA512
b7fb2b6e0bcd2277559cf7cc5860bf332b1574365d586e028d2b315c210b5ae1a1a5d79cfccc37a8a056cc9c2d5b09a6a344134739e7557304e70b5e896767aa

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Network Persistent State~RFe583a83.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Windows\NvOptimizerLog\D3DCompiler_47.dll

Filesize
566KB

MD5
66e77444f12f33f8f97fef6be8791a53

SHA1
082a3112c3e3b70cd8640176bc90926fb6bab7a6

SHA256
43824b383ab2651a29890a62fe2dc6a282de0629784e5e2afcd0cc70ddc33332

SHA512
334aaaccd8fa76f08b09c4074e2c51a5bc5127705d645640382c19dde90c7f40126b55516a710e8b2a6db2d4ac41640bc3e4a850be3467cc907c2ee835ac690c

Download Submit
C:\Windows\NvOptimizerLog\VLC.exe

Filesize
5.7MB

MD5
280abaca54178cd47e79edd8bcdc4f22

SHA1
aea9955ca481353316565c422a69022a20c528aa

SHA256
f376159497ad24505e88b4ed639baba0bcf26ac4bb896d0a9e584a68f91fab1b

SHA512
7ceb6e6998b2d7335cc5f66bc09bdadf2c00e8d650a4f46b979b7b6ee3a38b3c8fc601e0f5805a8335bc1b745f665cd2c44765bba5bc5ec46a3f3aca3eb6ed8a

Download Submit
C:\Windows\NvOptimizerLog\VLC.exe

Filesize
1024KB

MD5
6b730afb213643eb5096adfd00c631cb

SHA1
64e36e0a618b960cd2de70225a1bdd63e2d3a14f

SHA256
d13a618cc3611229f43f8fc0d4cda4eee560ecba556ad6e4dac415d57ace8ea8

SHA512
acbc1d798bcf53efc34be0357ede73c72200cfa648b48c19ca0c54423f811a1337aa663af5f7a5811472c1903cdb6d8e934acc9db3590b5586dd17ada3e294e7

Download Submit
C:\Windows\NvOptimizerLog\VLC.exe

Filesize
951KB

MD5
fc2acaf62c1f234489fc15ac795ef971

SHA1
89277b29d8803b8f809dfb7e37a205b6882d22ac

SHA256
03ade43b3d2100f4e88c9f64f7bc6acef60fb08e9abcfa0cbbe31ef8cea4ef8d

SHA512
b99da78451e00f8b9d471583e3c7b98962025ee8078a6157cf546b75545b8e637249b34e4e39b2dfec25f72676bd40001daa861c91d6209ab992b1302daa221e

Download Submit
C:\Windows\NvOptimizerLog\VLC.exe

Filesize
524KB

MD5
f60cafc361665e23427007633e787fc4

SHA1
e150d34c3657287707d733781a6de6b5531ace7b

SHA256
613ccf31cdb9dc400ae3e4f48235f336e45c75f81664d2874c9d3ea6bbae096f

SHA512
86c87323394f2db1643407e6d3c62589487c4a1e178f41e1f6bcce65965f6c76438af1e90233b126c7be5867200c2cf94cc1735bbc0f4c61e9dbbc48151ee065

Download Submit
C:\Windows\NvOptimizerLog\VLC.exe

Filesize
337KB

MD5
674fc942f1620559c58ac59f4aca215c

SHA1
cadcd7a76e7c67805d6b79fbb06e5960e9b711ca

SHA256
4eeb56be7aa5816b7085ca9153af2725cf7534f4a8f22f46f47d9cebc12709a3

SHA512
8c133fb8e4ee2b61cffde7e4299932c6f71df2a4681132c44f479124e2e04e7c7fdb84cf4406ef8a07571af9acadf01eea4a93cacfa1753c1bb7224222fc872f

Download Submit
C:\Windows\NvOptimizerLog\VLC.exe

Filesize
366KB

MD5
3a986a4758a85fa62830f06150f8eab6

SHA1
b2db2fa92b0a1028e6b4df7e2853f9e796824d51

SHA256
f8d01c8a64ef333c16a341baa6a1a6a777d49735dde8b3ff90700e13498dc2c7

SHA512
82f3b333e3a360405aa2ac1a11b53f02fccf21c627ce62718c2253e432939fee3a67887b245aaf8a49fdfdfb53d0d2c056a2e235156c9973b2814c9bf4d361e7

Download Submit
C:\Windows\NvOptimizerLog\chrome_100_percent.pak

Filesize
123KB

MD5
a59ea69d64bf4f748401dc5a46a65854

SHA1
111c4cc792991faf947a33386a5862e3205b0cff

SHA256
f1a935db8236203cbc1dcbb9672d98e0bd2fa514429a3f2f82a26e0eb23a4ff9

SHA512
12a1d953df00b6464ecc132a6e5b9ec3b301c7b3cefe12cbcad27a496d2d218f89e2087dd01d293d37f29391937fcbad937f7d5cf2a6f303539883e2afe3dacd

Download Submit
C:\Windows\NvOptimizerLog\chrome_200_percent.pak

Filesize
183KB

MD5
1985b8fc603db4d83df72cfaeeac7c50

SHA1
5b02363de1c193827062bfa628261b1ec16bd8cf

SHA256
7f9ded50d81c50f9c6ed89591fa621fabbd45cef150c8aabcceb3b7a9de5603b

SHA512
27e90dd18cbce0e27c70b395895ef60a8d2f2f3c3f2ca38f48b7ecf6b0d5e6fefbe88df7e7c98224222b34ff0fbd60268fdec17440f1055535a79002044c955b

Download Submit
C:\Windows\NvOptimizerLog\ffmpeg.dll

Filesize
1.1MB

MD5
d4e2961652c1b5a59f1a1bdd93004580

SHA1
52a5eb3bcb5cf3d52d67d20c576e460971f6b8b7

SHA256
bb10f07699d75015afeb7a0eafd1d53f71d44659d334e126736fd20a0025321e

SHA512
b39bc3fbc11337f43447b17c4500f325fe27878e7634a152fe9573bfb1c7f59a8af9e97338244325a85f6b1b14e8cac0bfead97b04f427f478fad01e26ea344e

Download Submit
C:\Windows\NvOptimizerLog\icudtl.dat

Filesize
1.1MB

MD5
44bfbe09c1cea5e3474cb7e732be7f55

SHA1
fe2cc51b62d310e8db80da7ce8d58b1c4bd2e9bd

SHA256
3f2784da0c9513476f947193a1bd957f414018fcbcf07cf347db040a1c27d430

SHA512
4c257c4d7ec91015f59114a2f952030528840a003ff95dcb9cc589efd20cc8925445f55ca9bf2fbdbcc892a4d8a5c2fd9325fb725392d38725388f7dbd642b89

Download Submit
C:\Windows\NvOptimizerLog\libegl.dll

Filesize
215KB

MD5
2c5fb37704316bbee2d68d50fbfad589

SHA1
a4f56d46f3d3178b22680f6e80e00e3031cd645d

SHA256
0dcc804adfa7bdb6f54809ffbb5759de91ae8074ebf0a1240ba4d3d5f9229922

SHA512
dbec8abffeafd95cd8d730211756366af9a05cf40942dfea395ad66540893d758e45b3e556bd8fd052aaeae1d6f30e327456d96bef1c2cd7e7f6e3cf7a26d2ea

Download Submit
C:\Windows\NvOptimizerLog\libglesv2.dll

Filesize
285KB

MD5
1024c133b2f63524c9f21833331a8481

SHA1
2d505adedc94522255622b0f154c7abb57bcc7b6

SHA256
ad41720cfcf173e17b510e603915ecb802afe344302783e53b818683f54e3a3d

SHA512
f2be1cd1df18d9ae337282368664928108c9b76a84e4323f3111e2a0d6d792f480be0a9d7f5f21ec21d77af5e17edba4a63e644c9587975b3a48045fdc390e60

Download Submit
C:\Windows\NvOptimizerLog\locales\en-US.pak

Filesize
85KB

MD5
6bbeeb72daebc3b0cbd9c39e820c87a9

SHA1
bd9ebec2d3fc03a2b27f128cf2660b33a3344f43

SHA256
ac1cdb4fb4d9fb27a908ed0e24cc9cc2bd885bc3ffba7e08b0b907fd4d1a8c4b

SHA512
66944fb1abcc2a7e08e5fd8a2cee53eb9da57653d7880aea226f25879e26379f7d745ebf62a3518378fa503f3a31b3ea3716f49fe4c7db4f4af0228b81b53a10

Download Submit
C:\Windows\NvOptimizerLog\resources.pak

Filesize
794KB

MD5
0a70b3b8e3caec2bdc679d885e9e8673

SHA1
819e99027ebb0dd5a1019cdee7e748c024c45c04

SHA256
99721ad6662f7a4b66219b055f085025d33461f640bd3fc8c291b6ce4169d0ac

SHA512
cda328e2ce610c16ac5f4a74aa8754b8e37c0562063d3cf45376032c91f5940a74687b3406f6e87a11279c468ded1d4315e6ad573319cf126f7e97af98512287

Download Submit
C:\Windows\NvOptimizerLog\resources\app.asar

Filesize
790KB

MD5
8354ef56b16ffbced6d09c334ddf683e

SHA1
70e8eb84c1cc689d99bed84025ee22fcc903955e

SHA256
817d9f73ab7b723949e788fa382a4816b5101af247d26b85ffe372b0ad94d052

SHA512
7c90992e9d3c43bc7d1b827354363835df7a5d546aebeafa1ccd8d0f8ddfeb3130a922dc807bb0e09a5af1b8a1578fcc54614288f248bf8a47f3ed7942385486

Download Submit
C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\libgksu2.so.0

Filesize
68KB

MD5
6dbc4226a62a578b815c4d4be3eda0d7

SHA1
eb23f90635a8366c5c992043ccf2dfb817cf6512

SHA256
0eb70bd4b911c9af7c1c78018742cadb0c5f9b6d394005eaeaa733da4b5766e5

SHA512
3a2836f712ad7048dbeb5b6eec8e163652f97bea521eafcff5c598cbedf062baefaa7079d3a614470ef99ec954dac518224cb3515ca14757721f96412443c7c4

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\ArchitectureAgnosticRegistry.vbs

Filesize
2KB

MD5
310a042dca2144c9cda556e9bc4b0c02

SHA1
d2032af7eea0dbd027a36e577567e85486496949

SHA256
caa82e59ca92629057791cb1e0ba0b74c90f561fac81b029033fc081a83431b0

SHA512
843d9f6f300caba8df41511473c43f4d5029fa0012e593677c83f196c8d595194d1409069fb4b8616e0118f37ba943bbe656b29de40f0ad70997ab610fd98db8

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\regList.wsf

Filesize
985B

MD5
cae7db4194de43346121a463596e4f4f

SHA1
f72843fa7e2a8d75616787b49f77b4380367ff26

SHA256
b65c5af7dbeb43c62f6a5528af6db3cb1ca2a71735a8e7a1451796f834e355c2

SHA512
ccee660cc4878301c743d3ebde4557dc180d8b6f77c97de5e36c95f6e4d2446ef7be28ebc787fdea2f2d817890ac7bdb713196c755a51677dc127cce77670026

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\regUtil.vbs

Filesize
7KB

MD5
77e85aa761f75466e78ce420fdf67a31

SHA1
4470bd4d215d7682828cbc5f7f64993c078b2caa

SHA256
350dea3d6c8e65372f8d12a5fd92a3a46a7519610c69564e8185a2ed66b00d59

SHA512
50af664777545ced78c34a6ea35dae542fdb85b8b307a4a4a95db25a808a695d3fe8840edb36325279c2381fbae071f6b509f7491185cef2f42afcb7672cfd13

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\util.vbs

Filesize
4KB

MD5
e2be267c02d51df566fa726fc8aa075a

SHA1
c9b9ae17f36e23d5d3cbbf2d6f17a954bfa87d24

SHA256
b2efd5e0c2f695063a8bce40c8182aa70f33c4b1b77d232b7530d89fb9646f0c

SHA512
b6f80622a9f61f636f7786d91a1b9e06a64602f0898425e90a1a696d0a4855c8c08cbd6e6b98b9a3a1a24de354b26260247953b5273f7d57ea87294b4b142e8a

Download Submit
C:\Windows\NvOptimizerLog\resources\vlc\installer.exe

Filesize
638KB

MD5
a3807a3648c654f305ffb9b925f3095e

SHA1
576c6747ea4bd3f4dbe590e847342f13a2e7532d

SHA256
1bbca36098b73f1003012600845be2ef5e150e4abee7da1e21ffc728ffd20b45

SHA512
f4dc4f78d2dbdf3819e96c0a6e9cecfe9872a70f818e438f6f4fe48943b22fa267154976341176bde920994fbdd001ea2b4ada4417aba11be2abf8acc25da77d

Download Submit
C:\Windows\NvOptimizerLog\resources\vlc\installer.exe

Filesize
384KB

MD5
8653bf0cf0cdedcfee8bdded1be0edc8

SHA1
2c6365136b74ac00ce1e73b71e6e838c1da0e6b3

SHA256
7747f4a85db4a964bd9d6f8da11ce9555d07a22a405cd5db2726c8356e939a73

SHA512
a12e246c3b492c287fae340110e45b44560829adb5ff0f154d2b1cca8386f5b3ffa70620205ed526dbd65684e54f7ab64971e29a3eb0612d5b1cfdbe8a5563d6

Download Submit
C:\Windows\NvOptimizerLog\v8_context_snapshot.bin

Filesize
160KB

MD5
b64c1fc7d75234994012c86dc5af10a6

SHA1
d0d562b5735d28381d59d0d86078ff6b493a678e

SHA256
31c3aa5645b5487bf484fd910379003786523f3063e946ef9b50d257d0ee5790

SHA512
6218fcb74ef715030a2dd718c87b32f41e976dd4ce459c54a45341ee0f5ca5c927ad507d3afcffe7298b989e969885ed7fb72030ea59387609e8bd5c4b8eb60a

Download Submit
\Users\Admin\AppData\Local\Temp\nsm70AD.tmp\INetC.dll

Filesize
238KB

MD5
38caa11a462b16538e0a3daeb2fc0eaf

SHA1
c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

SHA256
ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

SHA512
777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

Download Submit
\Users\Admin\AppData\Local\Temp\nsm70AD.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
\Users\Admin\AppData\Local\Temp\nsm70AD.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsm70AD.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsm70AD.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsm70AD.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsm70AD.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
\Users\Admin\AppData\Local\Temp\nsvD459.tmp\LangDLL.dll

Filesize
7KB

MD5
20850d4d5416fbfd6a02e8a120f360fc

SHA1
ac34f3a34aaa4a21efd6a32bc93102639170e219

SHA256
860b409b065b747aab2a9937f02d08b6fd7309993b50d8e4b53983c8c2b56b61

SHA512
c8048b9ae0ced72a384c5ab781083a76b96ae08d5c8a5c7797f75a7e54e9cd9192349f185ee88c9cf0514fc8d59e37e01d88b9c8106321c0581659ebe1d1c276

Download Submit
\Users\Admin\AppData\Local\Temp\nsvD459.tmp\System.dll

Filesize
26KB

MD5
4f25d99bf1375fe5e61b037b2616695d

SHA1
958fad0e54df0736ddab28ff6cb93e6ed580c862

SHA256
803931797d95777248dee4f2a563aed51fe931d2dd28faec507c69ed0f26f647

SHA512
96a8446f322cd62377a93d2088c0ce06087da27ef95a391e02c505fb4eb1d00419143d67d89494c2ef6f57ae2fd7f049c86e00858d1b193ec6dde4d0fe0e3130

Download Submit
\Users\Admin\AppData\Local\Temp\nsvD459.tmp\nsDialogs.dll

Filesize
12KB

MD5
2029c44871670eec937d1a8c1e9faa21

SHA1
e8d53b9e8bc475cc274d80d3836b526d8dd2747a

SHA256
a4ae6d33f940a80e8fe34537c5cc1f8b8679c979607969320cfb750c15809ac2

SHA512
6f151c9818ac2f3aef6d4cabd8122c7e22ccf0b84fa5d4bcc951f8c3d00e8c270127eac1e9d93c5f4594ac90de8aff87dc6e96562f532a3d19c0da63a28654b7

Download Submit
\Users\Admin\AppData\Local\Temp\nsvD459.tmp\nsProcess.dll

Filesize
35KB

MD5
764371d831841fe57172aa830d22149d

SHA1
680e20e9b98077dea32b083b5c746d8de35e0584

SHA256
93df9e969053ca77c982c6e52b7f2898d22777a8c50274b54303eaa0ef5ccded

SHA512
19076205eba08df978ad17f8176d3a5a17c4ea684460894b6a80cae7e48fcae5e9493ff745d88d62fd44fc17bcda838570add6c38bebe4962d575f060f1584f9

Download Submit
\Windows\NvOptimizerLog\d3dcompiler_47.dll

Filesize
428KB

MD5
d199bc3a82009bc5ab8d2e3de390e4a6

SHA1
72c3580b63228bd66d6177a6972d6b322d5a5dfb

SHA256
28633e8f680ac38178f18f12f18727e731bb0019807c56f0328e5ffe1e4a7c7f

SHA512
f3a3f140992dd561a9e9e486792f33cf03a6500c863c2920d99d627a12b299a1d121e97150691fb1206fbdce57eb4fdf2fda97e2a29d523db1753fdb625a4f85

Download Submit
\Windows\NvOptimizerLog\ffmpeg.dll

Filesize
1.0MB

MD5
6c6a7ecd6ea6e85f6fca1cead1d94042

SHA1
2a96416410c1714b0cc05c3de6d9b7a37fa7e533

SHA256
b247f19bbf86c80791f33908ba315709902f285eed1ae48f2e7d40979ab45fe0

SHA512
58fdaa19050983522cf0b006ef5ac8a4cde87fc34161e231d228a8b200c01b93fd67f9eacabe11cfe37bd808eb3950599a4fcf92f6d942889e5f142c6b4d4f10

Download Submit
\Windows\NvOptimizerLog\ffmpeg.dll

Filesize
580KB

MD5
34757f127180214b37d19d7ddb688bb9

SHA1
85c864d0229319582ab3e387ef793a3c88d44f9c

SHA256
2ac1d6aaa2687c3c1b0b9f05c5fbf7198b831bab6770343eeac8c80f24508da0

SHA512
5859a582219aeabe307976146288f8ec58270be57ac5e8a5f87f842dd31dcd04483e1f31b17e0e4b83cba16f61ddbf9a01eb210d6365885917e8cd0cb602368c

Download Submit
\Windows\NvOptimizerLog\ffmpeg.dll

Filesize
410KB

MD5
ff208c1363804464801b7e03982257ef

SHA1
855c020248d03f6809437159ba21a20655a620bd

SHA256
f9e7df1ea54d362b81d7e17d0c9783cfb37ae5e509fd276829472baf47f05bd4

SHA512
ff70083036fa4a840889ea31cf6d7e81baaa4e537eec430e0857efa3ecb7340a084094b2847900d5b30f02dbd32693d005ac4331bcdca8f0711e9e09fe74068b

Download Submit
\Windows\NvOptimizerLog\ffmpeg.dll

Filesize
666KB

MD5
e6acd9b952865fe07c0899b7a81b2b7f

SHA1
514ebccd3ac6411d5dc30edd5752cd9ddba1bcb9

SHA256
8fb0bf74134e94c477b8c733e5c363148f3df20b071b1886fc641d1a56586628

SHA512
d4068650b27af3e77d9f6528090746ceaa7231072236e53785e30778eee4c125b1b8fa7e7af92651d916054feab4aa0272c5c22fd99ab0fe72eade74615e4905

Download Submit
\Windows\NvOptimizerLog\libEGL.dll

Filesize
330KB

MD5
0f7a251153aec454baf91578982f28a7

SHA1
38f8e8dc15abe2279032788cae5f4bda06da6321

SHA256
9a9abd87e323ee424fba477360e4c58cb799d6fd8ce021121a8798aa44fffc8f

SHA512
1c4ddc0727bda540ce01baa35bc9c421b90f2a0f3935552ffc3dc18fe2a4a3b087eb3f36916de60e6c6b5ab613d6b41a9dea4769566e30c6cf51d49698c756ed

Download Submit
\Windows\NvOptimizerLog\libGLESv2.dll

Filesize
236KB

MD5
1bc4066cb388cb68a116d6b1242d144d

SHA1
918f59bffd8d6af1e00eab80db3236d3ba738135

SHA256
7f74fecbea5146b1a6f4f8944cb01e5aec6ba698caafeedc4d6374b1adbc024f

SHA512
c284f257f25e762503e15a67aa08fd70819363d9ecdf46763957bec6e7f62a5b7d15c5678bf90bdb3e2eb0113ea10e61b07bab244e0f840cad6d35c101ec107d

Download Submit
memory/376-1661-0x0000000073490000-0x000000007349C000-memory.dmp

Filesize
48KB

Download
memory/376-1352-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/376-1660-0x00000000739A0000-0x00000000739AB000-memory.dmp

Filesize
44KB

Download
memory/376-1617-0x00000000739A0000-0x00000000739AB000-memory.dmp

Filesize
44KB

Download
memory/376-1615-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/376-1658-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/376-1355-0x00000000739A0000-0x00000000739A9000-memory.dmp

Filesize
36KB

Download
memory/376-1354-0x00000000739B0000-0x00000000739BE000-memory.dmp

Filesize
56KB

Download
memory/1624-1306-0x00000275374D0000-0x00000275374D2000-memory.dmp

Filesize
8KB

Download
memory/1624-1287-0x000002753A800000-0x000002753A810000-memory.dmp

Filesize
64KB

Download
memory/1624-1457-0x0000027540780000-0x0000027540781000-memory.dmp

Filesize
4KB

Download
memory/1624-1458-0x0000027540790000-0x0000027540791000-memory.dmp

Filesize
4KB

Download
memory/1624-1271-0x0000027539F20000-0x0000027539F30000-memory.dmp

Filesize
64KB

Download
memory/2764-459-0x000001B8C81B0000-0x000001B8C81EC000-memory.dmp

Filesize
240KB

Download
memory/2764-431-0x000001B8AFDB0000-0x000001B8AFDC0000-memory.dmp

Filesize
64KB

Download
memory/2764-676-0x000001B8AFDB0000-0x000001B8AFDC0000-memory.dmp

Filesize
64KB

Download
memory/2764-432-0x000001B8AFDB0000-0x000001B8AFDC0000-memory.dmp

Filesize
64KB

Download
memory/2764-634-0x000001B8C8220000-0x000001B8C824A000-memory.dmp

Filesize
168KB

Download
memory/2764-681-0x00007FF926AE0000-0x00007FF9274CC000-memory.dmp

Filesize
9.9MB

Download
memory/2764-430-0x000001B8C8100000-0x000001B8C8122000-memory.dmp

Filesize
136KB

Download
memory/2764-653-0x000001B8C8220000-0x000001B8C8242000-memory.dmp

Filesize
136KB

Download
memory/2764-470-0x000001B8C87F0000-0x000001B8C8866000-memory.dmp

Filesize
472KB

Download
memory/2764-429-0x00007FF926AE0000-0x00007FF9274CC000-memory.dmp

Filesize
9.9MB

Download
memory/2824-1222-0x0000015A76E10000-0x0000015A76E20000-memory.dmp

Filesize
64KB

Download
memory/2824-1223-0x00007FF926B80000-0x00007FF92756C000-memory.dmp

Filesize
9.9MB

Download
memory/2824-1201-0x00007FF926B80000-0x00007FF92756C000-memory.dmp

Filesize
9.9MB

Download
memory/2824-1203-0x0000015A76E10000-0x0000015A76E20000-memory.dmp

Filesize
64KB

Download
memory/2824-1202-0x0000015A76E10000-0x0000015A76E20000-memory.dmp

Filesize
64KB

Download
memory/3248-945-0x000001D441540000-0x000001D441550000-memory.dmp

Filesize
64KB

Download
memory/3248-946-0x000001D441540000-0x000001D441550000-memory.dmp

Filesize
64KB

Download
memory/3248-1191-0x00007FF926AE0000-0x00007FF9274CC000-memory.dmp

Filesize
9.9MB

Download
memory/3248-943-0x00007FF926AE0000-0x00007FF9274CC000-memory.dmp

Filesize
9.9MB

Download
memory/3248-1175-0x000001D441540000-0x000001D441550000-memory.dmp

Filesize
64KB

Download
memory/4192-366-0x00007FF942DB0000-0x00007FF942DB1000-memory.dmp

Filesize
4KB

Download
memory/4584-1231-0x00000278D3990000-0x00000278D39A0000-memory.dmp

Filesize
64KB

Download
memory/4584-1252-0x00000278D3990000-0x00000278D39A0000-memory.dmp

Filesize
64KB

Download
memory/4584-1662-0x00000278D3990000-0x00000278D39A0000-memory.dmp

Filesize
64KB

Download
memory/4584-1228-0x00007FF926B80000-0x00007FF92756C000-memory.dmp

Filesize
9.9MB

Download
memory/4584-1230-0x00000278D3990000-0x00000278D39A0000-memory.dmp

Filesize
64KB

Download
memory/4584-1253-0x00007FF926B80000-0x00007FF92756C000-memory.dmp

Filesize
9.9MB

Download
memory/4656-691-0x000001EF622C0000-0x000001EF622D0000-memory.dmp

Filesize
64KB

Download
memory/4656-690-0x000001EF622C0000-0x000001EF622D0000-memory.dmp

Filesize
64KB

Download
memory/4656-687-0x00007FF926AE0000-0x00007FF9274CC000-memory.dmp

Filesize
9.9MB

Download
memory/4656-920-0x000001EF622C0000-0x000001EF622D0000-memory.dmp

Filesize
64KB

Download
memory/4656-936-0x00007FF926AE0000-0x00007FF9274CC000-memory.dmp

Filesize
9.9MB

Download
memory/5388-1416-0x00000158D8860000-0x00000158D8862000-memory.dmp

Filesize
8KB

Download
memory/5388-1667-0x00000158D8E20000-0x00000158D8E22000-memory.dmp

Filesize
8KB

Download
memory/5388-1391-0x00000158D8250000-0x00000158D8252000-memory.dmp

Filesize
8KB

Download
memory/5388-1400-0x00000158D9000000-0x00000158D9020000-memory.dmp

Filesize
128KB

Download
memory/5388-1389-0x00000158D8230000-0x00000158D8232000-memory.dmp

Filesize
8KB

Download
memory/5388-1418-0x00000158D88E0000-0x00000158D88E2000-memory.dmp

Filesize
8KB

Download
memory/5388-1613-0x00000158D8DE0000-0x00000158D8DE2000-memory.dmp

Filesize
8KB

Download
memory/5388-1455-0x00000158D8C30000-0x00000158D8C32000-memory.dmp

Filesize
8KB

Download
memory/5388-1414-0x00000158D8840000-0x00000158D8842000-memory.dmp

Filesize
8KB

Download
memory/5388-1395-0x00000158D8950000-0x00000158D8952000-memory.dmp

Filesize
8KB

Download
memory/5388-1665-0x00000158D8E10000-0x00000158D8E12000-memory.dmp

Filesize
8KB

Download
memory/5388-1663-0x00000158D8DF0000-0x00000158D8DF2000-memory.dmp

Filesize
8KB

Download
memory/5388-1412-0x00000158D8620000-0x00000158D8622000-memory.dmp

Filesize
8KB

Download
memory/5388-1408-0x00000158D85B0000-0x00000158D85B2000-memory.dmp

Filesize
8KB

Download
memory/5388-1423-0x00000158DB560000-0x00000158DB580000-memory.dmp

Filesize
128KB

Download
memory/5388-1410-0x00000158D8610000-0x00000158D8612000-memory.dmp

Filesize
8KB

Download
memory/6044-1710-0x00000124A77E0000-0x00000124A78E0000-memory.dmp

Filesize
1024KB

Download