21be0a068d7d1b57578bfb2ed850b3f3b1cfe4a4c47981ead95abdb8c20278fe

Resubmissions

02-05-2024 13:12

240502-qfqr8abg26 5

02-05-2024 13:06

240502-qb8ggahe7t 5

Analysis

max time kernel
1050s
max time network
1026s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2024 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup-v-b5xa3Su.exe
Size

704KB
MD5

d1fc9e6d71a4867ab71af5566e525ba0
SHA1

593b10280a926134839feb8e2f9d0da9ee9c0593
SHA256

21be0a068d7d1b57578bfb2ed850b3f3b1cfe4a4c47981ead95abdb8c20278fe
SHA512

c82a23e5e0e3a38e32fc08401890852a71ec90640bbfb944ed7d45812493a53d2be2c0e4373692e52c77d666b8ae72cd0d15c3dc4bc3cc52887ad4589820658d
SSDEEP

12288:iOIVD3gyucpjRKaDPNKT1zH3ptaR1sDfOQSvJqFZ6rOIIzVFA4+M:iOIyyuUjMaDu173pG1szLSvJwSOZBv

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.EXE

flow pid process

162 5668 powershell.EXE

flow	pid	process
162	5668	powershell.EXE

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VLC.exeVLC.execmd.exeVLC.exeVLC.execmd.exeVLC.exeVLC.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	VLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	VLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	VLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	VLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	VLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	VLC.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEVLC.exeVLC.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\System32\NvWinSearchOptimizer.ps1	VLC.exe
File opened for modification	C:\Windows\System32\NvWinSearchOptimizer.ps1	VLC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 64 IoCs

Processes:

Setup-v-b5xa3Su.exe

description	ioc	process
File created	C:\Windows\NvOptimizerLog\locales\sw.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\ffmpeg.dll	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\elevate.exe	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\bg.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\ko.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\sk.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\uk.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources\applet.icns	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\assets	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\assets\osx.png	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\ArchitectureAgnosticRegistry.vbs	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\sl.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\Elevate.rc	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\kn.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\Resources	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\bg.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\th.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\assets\win32.png	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources\Scripts\main.scpt	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\elevate.exe	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\regedit\vbs	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\pl.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\libgksu2.so.0	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\Elevate.vcxproj	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\webpack\chmod.js	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\am.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\da.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\hr.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\webpack\chmod.js	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\ms.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\Elevate.vcxproj	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regPutValue.wsf	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\MacOS	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\el.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\fi.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\he.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\sl.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\.babelrc	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\gksudo	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\libGLESv2.dll	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\vulkan-1.dll	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\es.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\ml.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\.eslintignore	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\libgksu2.so.0	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\package.json	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\regedit\vbs\JsonSafeTest.wsf	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\vk_swiftshader_icd.json	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\tr.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\LICENSE	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\main.c	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regUtil.vbs	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\elevate.exe	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources\Scripts\main.scpt	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\Elevate.rc	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\tr.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources\applet.icns	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\libgksu2.so.0	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\ffmpeg.dll	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32	Setup-v-b5xa3Su.exe

Executes dropped EXE 16 IoCs

Processes:

VLC.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exeVLC.exe

pid	process
956	VLC.exe
2968	VLC.exe
3304	VLC.exe
3412	VLC.exe
2188	installer.exe
3756	VLC.exe
5388	VLC.exe
5564	VLC.exe
6008	VLC.exe
6092	installer.exe
1444	VLC.exe
1660	VLC.exe
2604	VLC.exe
2260	installer.exe
1004	VLC.exe
2668	VLC.exe

Loads dropped DLL 42 IoCs

Processes:

Setup-v-b5xa3Su.exeVLC.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exe

pid	process
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
956	VLC.exe
3304	VLC.exe
3412	VLC.exe
2968	VLC.exe
2968	VLC.exe
2968	VLC.exe
2968	VLC.exe
2188	installer.exe
2188	installer.exe
2188	installer.exe
2188	installer.exe
3756	VLC.exe
5388	VLC.exe
6008	VLC.exe
5564	VLC.exe
5388	VLC.exe
5388	VLC.exe
5388	VLC.exe
6092	installer.exe
6092	installer.exe
6092	installer.exe
6092	installer.exe
1444	VLC.exe
1660	VLC.exe
1004	VLC.exe
2604	VLC.exe
2604	VLC.exe
2604	VLC.exe
2604	VLC.exe
2260	installer.exe
2260	installer.exe
2668	VLC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3080 schtasks.exe
1528 schtasks.exe
5596 schtasks.exe

pid	process
3080	schtasks.exe
1528	schtasks.exe
5596	schtasks.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exemsedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

6136 systeminfo.exe
3328 systeminfo.exe

pid	process
6136	systeminfo.exe
3328	systeminfo.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

powershell.EXEchrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133576034214217150"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup-v-b5xa3Su.exeVLC.exeVLC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exechrome.exeinstaller.exeVLC.exeVLC.exepowershell.exepowershell.exepowershell.exeinstaller.exeVLC.exeVLC.exepowershell.exe

pid	process
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3440	Setup-v-b5xa3Su.exe
3412	VLC.exe
3412	VLC.exe
3304	VLC.exe
3304	VLC.exe
1536	powershell.exe
1536	powershell.exe
1756	powershell.exe
1756	powershell.exe
2868	powershell.exe
2868	powershell.exe
924	powershell.exe
924	powershell.exe
924	powershell.exe
1308	powershell.exe
1308	powershell.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
4516	msedge.exe
4516	msedge.exe
4672	chrome.exe
4672	chrome.exe
2188	installer.exe
2188	installer.exe
2188	installer.exe
2188	installer.exe
2188	installer.exe
2188	installer.exe
2188	installer.exe
2188	installer.exe
6008	VLC.exe
5564	VLC.exe
6008	VLC.exe
5564	VLC.exe
1932	powershell.exe
1932	powershell.exe
1932	powershell.exe
5220	powershell.exe
5220	powershell.exe
5220	powershell.exe
672	powershell.exe
672	powershell.exe
672	powershell.exe
6092	installer.exe
6092	installer.exe
6092	installer.exe
6092	installer.exe
6092	installer.exe
6092	installer.exe
6092	installer.exe
6092	installer.exe
6092	installer.exe
1660	VLC.exe
1660	VLC.exe
1004	VLC.exe
1004	VLC.exe
4260	powershell.exe
4260	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

chrome.exemsedge.exechrome.exemsedge.exe

pid	process
4672	chrome.exe
4672	chrome.exe
456	msedge.exe
456	msedge.exe
4672	chrome.exe
456	msedge.exe
5884	chrome.exe
5884	chrome.exe
2664	msedge.exe
2664	msedge.exe
5884	chrome.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Setup-v-b5xa3Su.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeSecurityPrivilege	3440	Setup-v-b5xa3Su.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeIncreaseQuotaPrivilege	1536	powershell.exe
Token: SeSecurityPrivilege	1536	powershell.exe
Token: SeTakeOwnershipPrivilege	1536	powershell.exe
Token: SeLoadDriverPrivilege	1536	powershell.exe
Token: SeSystemProfilePrivilege	1536	powershell.exe
Token: SeSystemtimePrivilege	1536	powershell.exe
Token: SeProfSingleProcessPrivilege	1536	powershell.exe
Token: SeIncBasePriorityPrivilege	1536	powershell.exe
Token: SeCreatePagefilePrivilege	1536	powershell.exe
Token: SeBackupPrivilege	1536	powershell.exe
Token: SeRestorePrivilege	1536	powershell.exe
Token: SeShutdownPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeSystemEnvironmentPrivilege	1536	powershell.exe
Token: SeRemoteShutdownPrivilege	1536	powershell.exe
Token: SeUndockPrivilege	1536	powershell.exe
Token: SeManageVolumePrivilege	1536	powershell.exe
Token: 33	1536	powershell.exe
Token: 34	1536	powershell.exe
Token: 35	1536	powershell.exe
Token: 36	1536	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeIncreaseQuotaPrivilege	1756	powershell.exe
Token: SeSecurityPrivilege	1756	powershell.exe
Token: SeTakeOwnershipPrivilege	1756	powershell.exe
Token: SeLoadDriverPrivilege	1756	powershell.exe
Token: SeSystemProfilePrivilege	1756	powershell.exe
Token: SeSystemtimePrivilege	1756	powershell.exe
Token: SeProfSingleProcessPrivilege	1756	powershell.exe
Token: SeIncBasePriorityPrivilege	1756	powershell.exe
Token: SeCreatePagefilePrivilege	1756	powershell.exe
Token: SeBackupPrivilege	1756	powershell.exe
Token: SeRestorePrivilege	1756	powershell.exe
Token: SeShutdownPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeSystemEnvironmentPrivilege	1756	powershell.exe
Token: SeRemoteShutdownPrivilege	1756	powershell.exe
Token: SeUndockPrivilege	1756	powershell.exe
Token: SeManageVolumePrivilege	1756	powershell.exe
Token: 33	1756	powershell.exe
Token: 34	1756	powershell.exe
Token: 35	1756	powershell.exe
Token: 36	1756	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeIncreaseQuotaPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeTakeOwnershipPrivilege	2868	powershell.exe
Token: SeLoadDriverPrivilege	2868	powershell.exe
Token: SeSystemProfilePrivilege	2868	powershell.exe
Token: SeSystemtimePrivilege	2868	powershell.exe
Token: SeProfSingleProcessPrivilege	2868	powershell.exe
Token: SeIncBasePriorityPrivilege	2868	powershell.exe
Token: SeCreatePagefilePrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeRestorePrivilege	2868	powershell.exe
Token: SeShutdownPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeSystemEnvironmentPrivilege	2868	powershell.exe
Token: SeRemoteShutdownPrivilege	2868	powershell.exe
Token: SeUndockPrivilege	2868	powershell.exe
Token: SeManageVolumePrivilege	2868	powershell.exe
Token: 33	2868	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exechrome.exe

pid	process
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
456	msedge.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exechrome.exe

pid	process
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe
5884	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

VLC.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exeVLC.exeinstaller.exeVLC.exeVLC.exeVLC.exe

pid	process
956	VLC.exe
3304	VLC.exe
3412	VLC.exe
2968	VLC.exe
2188	installer.exe
3756	VLC.exe
5388	VLC.exe
5564	VLC.exe
6008	VLC.exe
6092	installer.exe
1444	VLC.exe
1660	VLC.exe
2260	installer.exe
1004	VLC.exe
2604	VLC.exe
2668	VLC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VLC.exeVLC.execmd.execmd.execmd.exe

description	pid	process	target process
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2968	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 3412	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 3412	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 3304	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 3304	956	VLC.exe	VLC.exe
PID 956 wrote to memory of 2188	956	VLC.exe	installer.exe
PID 956 wrote to memory of 2188	956	VLC.exe	installer.exe
PID 956 wrote to memory of 2188	956	VLC.exe	installer.exe
PID 3412 wrote to memory of 1792	3412	VLC.exe	cmd.exe
PID 3412 wrote to memory of 1792	3412	VLC.exe	cmd.exe
PID 1792 wrote to memory of 4244	1792	cmd.exe	chcp.com
PID 1792 wrote to memory of 4244	1792	cmd.exe	chcp.com
PID 3412 wrote to memory of 1536	3412	VLC.exe	powershell.exe
PID 3412 wrote to memory of 1536	3412	VLC.exe	powershell.exe
PID 3412 wrote to memory of 1756	3412	VLC.exe	powershell.exe
PID 3412 wrote to memory of 1756	3412	VLC.exe	powershell.exe
PID 3412 wrote to memory of 2868	3412	VLC.exe	powershell.exe
PID 3412 wrote to memory of 2868	3412	VLC.exe	powershell.exe
PID 3412 wrote to memory of 3972	3412	VLC.exe	cmd.exe
PID 3412 wrote to memory of 3972	3412	VLC.exe	cmd.exe
PID 3972 wrote to memory of 3080	3972	cmd.exe	schtasks.exe
PID 3972 wrote to memory of 3080	3972	cmd.exe	schtasks.exe
PID 3412 wrote to memory of 976	3412	VLC.exe	cmd.exe
PID 3412 wrote to memory of 976	3412	VLC.exe	cmd.exe
PID 976 wrote to memory of 924	976	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Setup-v-b5xa3Su.exe
"C:\Users\Admin\AppData\Local\Temp\Setup-v-b5xa3Su.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=gpu-process --field-trial-handle=1596,16941101848722511605,7654930246125728736,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1604 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=renderer --field-trial-handle=1596,16941101848722511605,7654930246125728736,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Windows\NvOptimizerLog\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
2⤵
- Checks computer location settings
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
3⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\chcp.com
chcp
4⤵
PID:4244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 21:25"
3⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\system32\schtasks.exe
SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 21:25
4⤵
- Creates scheduled task(s)
PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
3⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ExecutionPolicy"
3⤵
PID:2060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ExecutionPolicy
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "systeminfo"
3⤵
PID:4700

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:3328

C:\Windows\system32\cscript.exe
cscript.exe
3⤵
PID:1372

C:\Windows\system32\cscript.exe
cscript.exe //Nologo resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\NvOptimizer
3⤵
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start chrome "https://mediatrackerr.com/track-install?s=vlc&u=f25a62ee-56f6-4d32-b2e7-7a4843521fa8&f=Setup-v-b5xa3Su.exe""
3⤵
- Checks computer location settings
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://mediatrackerr.com/track-install?s=vlc&u=f25a62ee-56f6-4d32-b2e7-7a4843521fa8&f=Setup-v-b5xa3Su.exe"
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff98430ab58,0x7ff98430ab68,0x7ff98430ab78
5⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=2208,i,3242823731441865675,17533907298073023290,131072 /prefetch:2
5⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=2208,i,3242823731441865675,17533907298073023290,131072 /prefetch:8
5⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2044 --field-trial-handle=2208,i,3242823731441865675,17533907298073023290,131072 /prefetch:8
5⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=2208,i,3242823731441865675,17533907298073023290,131072 /prefetch:1
5⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=2208,i,3242823731441865675,17533907298073023290,131072 /prefetch:1
5⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=2208,i,3242823731441865675,17533907298073023290,131072 /prefetch:1
5⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mediatrackerr.com/track-install?s=vlc&u=f25a62ee-56f6-4d32-b2e7-7a4843521fa8&f=Setup-v-b5xa3Su.exe
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9845546f8,0x7ff984554708,0x7ff984554718
4⤵
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,10751395316522100813,3068237995762364796,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:2
4⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,10751395316522100813,3068237995762364796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10751395316522100813,3068237995762364796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
4⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10751395316522100813,3068237995762364796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
4⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,10751395316522100813,3068237995762364796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3024 /prefetch:8
4⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10751395316522100813,3068237995762364796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
4⤵
PID:5440

C:\Windows\NvOptimizerLog\resources\vlc\installer.exe
resources/vlc/installer.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,16941101848722511605,7654930246125728736,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2068 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3248

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1188

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3756

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=gpu-process --field-trial-handle=1196,363150084144785197,2615497904114012075,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1596 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5388

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1196,363150084144785197,2615497904114012075,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2076 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5564

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=renderer --field-trial-handle=1196,363150084144785197,2615497904114012075,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Windows\NvOptimizerLog\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2184 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
3⤵
PID:5136

C:\Windows\system32\chcp.com
chcp
4⤵
PID:1336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 21:26"
3⤵
PID:3288

C:\Windows\system32\schtasks.exe
SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 21:26
4⤵
- Creates scheduled task(s)
PID:1528

C:\Windows\NvOptimizerLog\resources\vlc\installer.exe
resources/vlc/installer.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2060

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=gpu-process --field-trial-handle=1576,18138677285420091612,2261608731282915796,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1584 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,18138677285420091612,2261608731282915796,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1992 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=renderer --field-trial-handle=1576,18138677285420091612,2261608731282915796,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Windows\NvOptimizerLog\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1
2⤵
- Checks computer location settings
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
3⤵
PID:5688

C:\Windows\system32\chcp.com
chcp
4⤵
PID:5332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
PID:1188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 21:26"
3⤵
PID:5344

C:\Windows\system32\schtasks.exe
SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 21:26
4⤵
- Creates scheduled task(s)
PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
3⤵
PID:3452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted
4⤵
PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ExecutionPolicy"
3⤵
PID:1516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ExecutionPolicy
4⤵
PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "systeminfo"
3⤵
PID:6064

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:6136

C:\Windows\system32\cscript.exe
cscript.exe
3⤵
PID:5904

C:\Windows\system32\cscript.exe
cscript.exe //Nologo resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\NvOptimizer
3⤵
PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start chrome "https://mediatrackerr.com/track-install?s=vlc&u=f25a62ee-56f6-4d32-b2e7-7a4843521fa8&f=Setup-v-b5xa3Su.exe""
3⤵
- Checks computer location settings
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://mediatrackerr.com/track-install?s=vlc&u=f25a62ee-56f6-4d32-b2e7-7a4843521fa8&f=Setup-v-b5xa3Su.exe"
4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff98430ab58,0x7ff98430ab68,0x7ff98430ab78
5⤵
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1672,i,6204360037035201742,14220973385664921294,131072 /prefetch:2
5⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1672,i,6204360037035201742,14220973385664921294,131072 /prefetch:8
5⤵
PID:664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=1672,i,6204360037035201742,14220973385664921294,131072 /prefetch:8
5⤵
PID:784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1672,i,6204360037035201742,14220973385664921294,131072 /prefetch:1
5⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1672,i,6204360037035201742,14220973385664921294,131072 /prefetch:1
5⤵
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=1672,i,6204360037035201742,14220973385664921294,131072 /prefetch:1
5⤵
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1672,i,6204360037035201742,14220973385664921294,131072 /prefetch:8
5⤵
PID:6044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1672,i,6204360037035201742,14220973385664921294,131072 /prefetch:8
5⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1672,i,6204360037035201742,14220973385664921294,131072 /prefetch:8
5⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2776 --field-trial-handle=1672,i,6204360037035201742,14220973385664921294,131072 /prefetch:2
5⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mediatrackerr.com/track-install?s=vlc&u=f25a62ee-56f6-4d32-b2e7-7a4843521fa8&f=Setup-v-b5xa3Su.exe
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9845546f8,0x7ff984554708,0x7ff984554718
4⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
4⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
4⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
4⤵
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
4⤵
PID:5452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
4⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
4⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 /prefetch:2
4⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
4⤵
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1144 /prefetch:1
4⤵
PID:5212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
4⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
4⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
4⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5338402799847912379,1520331903623526297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
4⤵
PID:4628

C:\Windows\NvOptimizerLog\resources\vlc\installer.exe
resources/vlc/installer.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=gpu-process --field-trial-handle=1576,18138677285420091612,2261608731282915796,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2156 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4020

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -File C:/Windows/System32/NvWinSearchOptimizer.ps1
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
06e1ee65f377a305cd4350c0888bef4f

SHA1
5fb42caf3ec934526e3937224f5a78bfb5c40791

SHA256
36da6e4a1f68107a5ca4fa6cd858c8cec5734203386303e978f330abf65b385e

SHA512
467d5d5c25b406480a79356acf71857c6a20d4d30377894d2f91c51d2e327f608d2f9d13878025b3d9c9cf21b30537ce9a08cc6cd660a25b30f203fa95eed126

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
b5149966580ddb8751b4ac1d474d62d8

SHA1
fd5f40b91e342c1ad119631d584c2cfc9a6b1d41

SHA256
f6d54c1bd315354b5f81008811d35360b6c3b530033a4c11c012cb4c1715fe91

SHA512
784042d5828af560dc044d014cb67889026e99a811757f0d50a72a36de9113b44d0daffe3d9b2ec22e18e289cac0017e4a03cdff1ccd1d51771140f3ee000695

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
394ca016409f31822f40b68d5c7288ed

SHA1
fff7dc1c79204c57625b791c0b16fefec6c9e411

SHA256
3f9133af54bd01d0c299728c7a819f440d8fe26eca6cc8b489aa2ab60ecd9553

SHA512
cdd342d659264c67be5b2cf8306560cf28240ba3a28c82d19cead33556ae9ea1dc01d526fa37c78c6fdd31589caba9201784ab04cf143bad29d4b799a440323a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
2bfa566aefa8e47c7387e7bbaa3648cc

SHA1
28bc937b158d50cf032755e6eaa1737a61634f5e

SHA256
919dcc4944a40fadc992421db14587d3a97f6b6d7ec33e4ba9413def927de5b0

SHA512
45074aa280d789a79246e2dd793db68061701e87efaf437de2702a576998a295e5be10bfc10f2aa5691272e5beab3c5791e2d647188dd9e1a56d6ed4a982660b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e
Filesize
76KB

MD5
15c1c178d1ec9516064dcfb8978409d1

SHA1
f5c631d350ccba1330da2bd7ed4d1155037fff50

SHA256
ba327569f35f7b745f911ca9b0952c785b86fded6d32328949402fe3165cfd8a

SHA512
c749dee602007bbb092883addc8280b2daf3afc287372e721cf11f27c425df205780bb19947e6b63dbf21c052c843c30b247fed40d7a3925caf23c23b1f90553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
5b9656effbd86c60bb594c0fb6385898

SHA1
9483e4f72e0ab9228935d6f5d76e3a503e3a5d87

SHA256
58ee1860479b38d72216105d66989ec0175afeb12dec6b61801b163e2ee0d2ac

SHA512
a745878ae09472cebd6090e26ad4b3ebe8334b13fa8e35b2a1a9c5337361b36cf1b2727fb106639e0003f51f843804669b82c5f7298f483159b75d0c59d21277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
360B

MD5
68fc299928cc23120c5cde5f27639bcf

SHA1
9ab838720859794eed5b94045c266a8daa451cd0

SHA256
8c4fbf713bfddaf9d118c98fda77775d426379780292569d28d5801b021c9cdf

SHA512
302b5e45d81ead67ec1a0ba085eca5b78ea19d827833693ff99827ba37ad949f73e40a07513ba964aac041e1c3c5f83297bc9b629991460c937839993dbee311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
95033b19a2a5277de88556125342dfc7

SHA1
6d11f771ad35388f6f4d91b87307ce5d0e446009

SHA256
762bfb222914b032eea77e7778dce034e28c65151a9ffe9a24a433cf6619d5c4

SHA512
830866829d2273057fc279334aff3996c2dcfd2722f6a70d968d39023788c8b5054794c3bf3aa8b69aa6d7ce24bfd0ba1c4df9e04311a2ccd590863d78bedefb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
a420b87130d0a7f59a124411616a2b4c

SHA1
ee8686360608684e8c78b6da104f6271ea88f59e

SHA256
fab221ee0ac59dedc1e8e5950705af43ac6d67279d0f7edd44662bb80b5f94c6

SHA512
be25fa0495e4cf3fc131f141efa9bd2904b1d41fe7e29a25e0f6e961313d0661e11f11b02c49d6e80169b597af012f4c0415e6b57a08d0f11e256c008f692972

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
17ef2062a6b861c64426bf7bf31b7461

SHA1
70ed1e91b3260c6130ab3ae60ebb7f8a27f91a84

SHA256
b9e50b52a89eecabc61789f0ccfa3b02a1cdc77a6c7941d4b99a82951b34442b

SHA512
f6a4b8c127610069a1f6620a5da0b8726931f68e6286d607cdd2a7b48f0bd7a54174bee38476979e7d59d5189767c43a9f887256e211130faca2c998532f458d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
7b66b7d202934a0c241bca10b73b1f4d

SHA1
7e69913b26c970fc2a09380581d2e26bca7161be

SHA256
4e3ca5704e3eb413a31dcf3e9907641309efbac1bebc45b40bb663eb1b394ac2

SHA512
63085263e520198f7bd4dd4d6562858113f929a89bc98a212d8d6ad1b19f0852789de2db22f2b8696526cbf14dccab1291a7257d6915db0067cf3ae4d81423b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
bb2543c728bb7df3733854b0309767f6

SHA1
6f03f4f9d54222a3cbc0ba46456aa965dcb1f3b7

SHA256
f98b4ad1c3b8f3743808bbcf873fd80f005e40adb6e0536438990cfc86335a74

SHA512
4b8450e88ed3bb5d1b949970efc4f1a1f214773b678c11c77f24c4efe8a34f10ef266fc3b02904f84fffd25ce3816fb3275ba24cf9907d536b0609501cbca41b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
d00b51bc78ea390cf70c651ba6b61680

SHA1
9fa95371ef28790a3b3d1f42808a2957e4abfd96

SHA256
e2b995e3d6ad6192f073d59d4b94e82a28ce3c5b6093fb699a7c1566b24fe1c4

SHA512
22f98339434558e7e0f6a8de996da3dc3e82d369ac06fafe1a492caae6fec20d655226ac079e8107c3804a01a34226f94e63edadbf79ed989cf1c11fb41a877c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
debb7da02b63e06b19a9d98400c78e76

SHA1
53cb25e3976f1d15dc83d97982bf206027604104

SHA256
9e4d2322e6b3e7fd8fda0e1dc40574e685afd979c882b898fde14445e09fbf5b

SHA512
a44178b58d4e50749c0c6504a3937a3e6957b5988a139fcc056629dc38c114f039ea6bf9d6bad45798ee94c345379b3e1322094a6c7fccf261c5a4c0047b7d09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7e68b8eb1abe148cdf089cc3225dbe49

SHA1
dd7b68512b942f09cf3999914b2d315edac3ca2a

SHA256
c8d9b48e27acf636a266b004ec9f73f966e20ae1c9c86c87c80b71c616607cd4

SHA512
6288a39ec837e4c6aaae905c04a6483cd01ce150d897874aefa13088aed7cd3c2783e3fcda7d82833b82f25d55805ec78ce327b587b51107a0ceed63b6ec6124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
73abb65b728b34d98fcc18857debfb0f

SHA1
fce57bfdc7819d94e1f84722a01ac666d65db3bf

SHA256
1ade942e2516ea383594609a490bf49e11d2c40cec1d16c421c5867d9876dcd3

SHA512
57a11030dd582f98bd2384669682e98f7970b73bd0f8fef03fd54d34f754a54967b51448836d31dd3eb5f182085f5acbaa04f4e1b36ec62e05faa295b48e8436

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
127KB

MD5
8678cac92bad5f08f5fa73f97265aeb5

SHA1
96df7c515f0dea155d62b35756817991a77d4ee8

SHA256
fd5c2ff95b2b1a9285564a287d1a51ae84af24a8e194fb8e11d93b9713f4b3d3

SHA512
75a5e845d14f3d699d25643b479554b30d855611c8a5bbaeec82634e384f32dcf01b797d3647f687cb1ba31f41483879c3f00dcd6d294c46c7ee4e558e309e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
251KB

MD5
d95d53fc27b2826c7405a2c9e52fff44

SHA1
72d9fbb3e60162f6883d1b18d0c9efc35060e330

SHA256
e2c688965c4435258484b14731bb0591242c53cc4c04bbd71ddec9d8f0ab06be

SHA512
28888466ef04359ff7796c949128c015f7d2e8d688de9e116ab85746e2bf59f2b748695b64361dc2a61f71f361a2878319caff13573f8a862aa5c058c23c15b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
972fe06332450c72ba0fa06c456b2c47

SHA1
3164c068c0b5af702f223ee7bdd3fb1e0c3f2e1b

SHA256
671135a0ff2d6cfa84262257574747463e537f88613e0e958695759eba65a909

SHA512
30b0bb6aa397d6a3fc994a56973a22942b92a38f5907fd47029cebe70aeb043bd25be6707f3d415804cd7e38d3cd1ab2b558248c3b066d545d0613205c0f62e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9369e5c209a348c990284ee03aaa775

SHA1
8c1500e36c414bc548250a7252153b9e4622dcf1

SHA256
725f45f6b7d65b19cfb2667e0e4b6767328662038f3714a3fe4bf41a5f94dfbb

SHA512
5737fee5c16994628a6fc56ed0dd6a8afe1f9b9b7b484917a4e47e61c394f1fc69d5a014b4f55963895b403a7860bc4d5b860e0b7f9e6d3a59a8548d37f8ab85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2579d07b98bbefadc929d80fb3dbd32a

SHA1
1ceb57c4b81f0f23500e118a4b9a225116a467de

SHA256
b8443c289ad36568a2bf794ac9ec1f259a9dd930c36680dafc8d0cb4de81feb6

SHA512
53522ad5e8e2a272d5b1bff9b9226b7d976d47413891c60d7efebd4365baff12b6891e3f79b20e14892ec7c654ad2d437941014290c428c6b1bd78a7b3e557de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8c91c8582b0c918416d14bd7eedd686e

SHA1
b2ff8149bc21144fdcec64111afda492965c6621

SHA256
1e839706b748c04adf8efa2790564ca1efd707fdf6451e71af6862e07123717e

SHA512
a93be868d9f08097bff39069378a0bfa0f5c78e74e9e8df820be9b0426cbfe84e03e9638b329b6142279ed140a120c4c4c21857f410fc4789a370445c3919dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
d9f94675093b292671b8f03cff11905b

SHA1
ef1c88e8c8f059dc1cf22abd410d47019d136b90

SHA256
0c0b5bc8bcfd77738e5fd4d5111b60a0a315b9968bb6d6e7b239fae3c8e76153

SHA512
52e82c7d3d4145cc6b6dc76842eb1ef664b83565fcadca72d17dba7a10f8aa921ec7cecbcc2425b476b0472d176e5543fcb555ff4d43e17c3de49055db5bb51a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
504B

MD5
c1a6480c15d692ed7308f18d4bc578c7

SHA1
9abcc6d1e094101d42f8216d2937730a2ab111ba

SHA256
6adbc98d320e42462456b5b789231ab848bbd0706fc17b100ebbc8bd5734fbf6

SHA512
e946248db98927169453dd5b6c247e4d26752155b96a0171c7654a03e685afd4914792c9d6b33cc50d8c98fa045d1862910f40f22840447f624650e05940d416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
c00ace52c7b0eae43cfc4be92e5120b3

SHA1
1c7551f686c71a3c1b511525247ec6c249b9cbc5

SHA256
e4b7597e13b5eb798a5836d74d77293227aae71c1776ecbfc8cf94cd1d61ea96

SHA512
018d6b953322c93be1acfa018725d046414e5177508786df84e65a9cafcc922231349783e41be31e1fc333c20370dcbc2b61353b6db02e6c587fe245dedff45a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
2ae3d29f3c610ea56545a8321f889a48

SHA1
2b496a32fdc6c476ecd347834d5c4183f667608c

SHA256
ff4221bbb2e77970e354b562d9a221b21f7354832ed93b2553baf2779d29b4f0

SHA512
4f8a8172e6f46d728282a08414864422366ff9c947417fb69f38134e3321b13188e4223ab46323b466604ae0a5eefcb5d356481e158302e86cb9880a1512129d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
9f3d2938c9569d1fc46a803af71e1163

SHA1
5aad7605ed4e9cc962bc99d120b4f6ae4b0c8110

SHA256
57261ca90027063e00038891e5ebe74f5ae3c6a474cb7d1697a5f7658168fda8

SHA512
38f1742e1277f81491a9a653846e9cfcb9ca6c7bbb9ddf3391cd8c98f1fdf4a8577cfd141c17bec4541a8e1386fe36d10128e61be7aea686a0a15d04f84ef020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
decbdfaf1eeb84da1929598d868cba96

SHA1
ee0d186d704112ea26ddd304acc5ae3997a014fc

SHA256
4cbbc6b9b1807b59991bdd562a343a54c06b4f3f2c12fca518eaf0e2cb9a498f

SHA512
aeb6fac7e32849dfd6a062e2fca037d77186c44b798d5bcf7a2ec43de72b3b38478d1bf12fa62c721c77eefa511751a40849df61f486689e94c4102b7057bb9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
39ee4615f782095843381a0ae0e20c76

SHA1
c30892e9c039b603567cf5d9c50adcc96dcdf3ba

SHA256
7b6d3870d6b2f0f1dcfca35d22e2e6ee2a8e38ea2b78c8e42406399723eaa856

SHA512
011eee364198d30164ea003b1ef50ff1d186058d6aebbc8feea8b4bc203afbeb3d95f24f5d77cf2b53331e371706bd2e3d0f9b5010a8716592fd5ca193ee0d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5d35d3ac71f9eb270094c2d8d4254e64

SHA1
8d27001d6ceb09614fec6a6caa9f8981421f7d1b

SHA256
40fbdbd1afc9bd7322483c4b01b0defa04a8911e03f62724a0d4fa15bb2656e8

SHA512
6bf17d5421bd87d778c6a35c236f1698527f12d8660c322354eb48ebbfdf51676d310cbaad1c742df89113d86ab323b365e58c15702a2ec0281be72887af968c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d5679d702141e1cddf92f7a99341f498

SHA1
4f43d5adb5823409cded0b80ce9873eb3754f102

SHA256
32d83847a28a6cfa60406846d3a73660ec542dbf7e7fd66b6c04f878ecad8c8b

SHA512
1d02ba534f218f73ddaf34d77aac388e807b1ceb3f8552333fa0bd3462b1733a29e3c64fbc35bb96998635d48d3d30f9494b6e980fb760dc72db1cfd4584c820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
372B

MD5
8f69725a8b7ec8c4b7f29359a62db598

SHA1
628dafbde6c373688ce1b71f35d66700cd2942d8

SHA256
4ec0fec8829dd0571abfc0f2ba2659f95949c7e5b08865a7cc4748907e4ed704

SHA512
0c592cd18a36fffc93b34091184d7b63f7ac076b47f50495e0e0d0705ef0ddccc64573d732dcac53f7c05e9baaf55db8e280df3cb73287bed6277a116d2e7590

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b5f761da-6311-4fef-bc70-93364e6de4ee.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
096ede8bf99d67d99da5401dcaf01bf7

SHA1
bb7f48aea10280a531228111a4d846ca38e43216

SHA256
8515f731b3132de4004d1fd8f764c2e9fcf8c34b7505438ca816a5c245d298cc

SHA512
4ff3cf90eeb98135ab928b4dfbd3f0fa680e1c9bb5758b49a7add75d5642c3869122575d0290c330cd1ff0c7a0eabcf3008e570762ffe5b0add5bd67196499ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
02cd421965a2ee708162d54881c09206

SHA1
baa9f6c27d84dd3e6f6385b02bd28d7c52900835

SHA256
2d3847ef0447fd767fcfd1e8953ec5d7649b998e59ca24218f6540e57b80abb7

SHA512
fc6871d3cde4856d55e7fb5ae56d37d2829e038b60f19a08ff8d2dc9a6ba5e429fb63e9900893de046bc0183ec4908fdb75470f83b2d790fc69a8e2600556527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
e6cc86836a5d03fcfa39fe773b87f593

SHA1
63942b863e2ce2bec83b971ac3a9d4215b7dfdb1

SHA256
c22a8dd99701a5193a6ce053e9da42025fd0d97de08bce42a50e833c9cdaf551

SHA512
a2ff88d8ff1beaff2294d493800994e55ab16e78e419afd3135123c02cab9c358ee685af9cb7b8f64a0eeb7ba1ee775c67134f9f76254290372dbf0b36348245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_imjpysas.c2y.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv85C7.tmp\LangDLL.dll
Filesize
7KB

MD5
20850d4d5416fbfd6a02e8a120f360fc

SHA1
ac34f3a34aaa4a21efd6a32bc93102639170e219

SHA256
860b409b065b747aab2a9937f02d08b6fd7309993b50d8e4b53983c8c2b56b61

SHA512
c8048b9ae0ced72a384c5ab781083a76b96ae08d5c8a5c7797f75a7e54e9cd9192349f185ee88c9cf0514fc8d59e37e01d88b9c8106321c0581659ebe1d1c276

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv85C7.tmp\System.dll
Filesize
26KB

MD5
4f25d99bf1375fe5e61b037b2616695d

SHA1
958fad0e54df0736ddab28ff6cb93e6ed580c862

SHA256
803931797d95777248dee4f2a563aed51fe931d2dd28faec507c69ed0f26f647

SHA512
96a8446f322cd62377a93d2088c0ce06087da27ef95a391e02c505fb4eb1d00419143d67d89494c2ef6f57ae2fd7f049c86e00858d1b193ec6dde4d0fe0e3130

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv85C7.tmp\nsDialogs.dll
Filesize
12KB

MD5
2029c44871670eec937d1a8c1e9faa21

SHA1
e8d53b9e8bc475cc274d80d3836b526d8dd2747a

SHA256
a4ae6d33f940a80e8fe34537c5cc1f8b8679c979607969320cfb750c15809ac2

SHA512
6f151c9818ac2f3aef6d4cabd8122c7e22ccf0b84fa5d4bcc951f8c3d00e8c270127eac1e9d93c5f4594ac90de8aff87dc6e96562f532a3d19c0da63a28654b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv85C7.tmp\nsProcess.dll
Filesize
35KB

MD5
764371d831841fe57172aa830d22149d

SHA1
680e20e9b98077dea32b083b5c746d8de35e0584

SHA256
93df9e969053ca77c982c6e52b7f2898d22777a8c50274b54303eaa0ef5ccded

SHA512
19076205eba08df978ad17f8176d3a5a17c4ea684460894b6a80cae7e48fcae5e9493ff745d88d62fd44fc17bcda838570add6c38bebe4962d575f060f1584f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw634F.tmp\INetC.dll
Filesize
238KB

MD5
38caa11a462b16538e0a3daeb2fc0eaf

SHA1
c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

SHA256
ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

SHA512
777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw634F.tmp\SpiderBanner.dll
Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw634F.tmp\StdUtils.dll
Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw634F.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw634F.tmp\WinShell.dll
Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw634F.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw634F.tmp\nsis7z.dll
Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw634F.tmp\package.7z
Filesize
99.0MB

MD5
fdfe1ece23e984d00402431d082d768e

SHA1
9405760465c3f8abc4d08473219deea9d902e2e6

SHA256
99168cc1971f35f0cea1ac61d90e3aef6cc177a510bb90203350ac2c808c73ee

SHA512
d0979e9359d7c15910522aefb5e5e23eeaacf0335fa299e09c9c6ddc962c1a224bdf3372d0f286b181182fc893bcd93558e360fb6f6645613c9a0875a89a8b49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Network Persistent State~RFe594201.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Session Storage\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\d09c1a56-2c1e-4c92-80a2-aefd31ad27cd.tmp
Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Windows\NvOptimizerLog\VLC.exe
Filesize
125.1MB

MD5
031021334754b192f286d0c1610ba5a1

SHA1
0cdc202ba17c952076c37c85eece7b678ebaeef9

SHA256
c11b411ae2ce44803a4a2e1f14afc93f11c8b111fdf0205639be5141a28f3a89

SHA512
eb0a34610e7479902d6498bcd75c71b4efed77b1b07dc44c22d1c59897b18f62d4399a710d29d9665b830a50c2f0703c5ecd5cdcd2751b50b4e416581ff08bea

Download Submit
C:\Windows\NvOptimizerLog\chrome_100_percent.pak
Filesize
123KB

MD5
a59ea69d64bf4f748401dc5a46a65854

SHA1
111c4cc792991faf947a33386a5862e3205b0cff

SHA256
f1a935db8236203cbc1dcbb9672d98e0bd2fa514429a3f2f82a26e0eb23a4ff9

SHA512
12a1d953df00b6464ecc132a6e5b9ec3b301c7b3cefe12cbcad27a496d2d218f89e2087dd01d293d37f29391937fcbad937f7d5cf2a6f303539883e2afe3dacd

Download Submit
C:\Windows\NvOptimizerLog\chrome_200_percent.pak
Filesize
183KB

MD5
1985b8fc603db4d83df72cfaeeac7c50

SHA1
5b02363de1c193827062bfa628261b1ec16bd8cf

SHA256
7f9ded50d81c50f9c6ed89591fa621fabbd45cef150c8aabcceb3b7a9de5603b

SHA512
27e90dd18cbce0e27c70b395895ef60a8d2f2f3c3f2ca38f48b7ecf6b0d5e6fefbe88df7e7c98224222b34ff0fbd60268fdec17440f1055535a79002044c955b

Download Submit
C:\Windows\NvOptimizerLog\d3dcompiler_47.dll
Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Windows\NvOptimizerLog\ffmpeg.dll
Filesize
2.7MB

MD5
5c2e6bcfcffc022cfb7e975ad4ce2ea4

SHA1
8f65334f554b02e206faecd2049d31ef678b321d

SHA256
d068695dc8f873caab1db51c179e9696dda2319fa05c0f2d281f9979e2054fc2

SHA512
b5fe0039e1702375a6e1f4ef7bfb24d0acc42c87d02202a488fccf3d161598549055d2ac0103c95dbbc0e46975aed30259edbfef7ce77d00f1de7c1670c00959

Download Submit
C:\Windows\NvOptimizerLog\icudtl.dat
Filesize
9.9MB

MD5
70499b58dc18e7ee1d7452a1d7a8bc6e

SHA1
41c5382f08c6a88670ce73a20c0dcdb3822f19e9

SHA256
02db39ba465fc8b7a4cd280732760f29911edde87b331bf7cea7677e94d483e0

SHA512
a80939e9809bb7d20f00ad685c94d5c182fa729616c975e605abf09afb58376be73a49fefa35b75ed1a284eccf208af7656c8df44c5959df7eaf51367d232dc6

Download Submit
C:\Windows\NvOptimizerLog\libEGL.dll
Filesize
436KB

MD5
2fe9e551c93156baf537483671ec4ad7

SHA1
08ce2344b2e0a78c2af637f0eae46b948661d5a5

SHA256
f231525ba1ea2522552a722620bced187357d66d945f0cec067c5d858950ea61

SHA512
f93181f1f2268cc380dafef02a93899cb9a19f3287a918bf6ba8eaa69190627d2e2fb0c82b693471e3ca63fbcb07c44212268c1357a5a4cf594a3bd8973eefd2

Download Submit
C:\Windows\NvOptimizerLog\libGLESv2.dll
Filesize
7.5MB

MD5
5967a9234ec54d734b31cfd12cb67faf

SHA1
536840ddb29ead51d43a506fd493b48c436097d6

SHA256
48ec76bac1ff6647096a9532ac21b4a0d7c6c9c24613971aaa201cce452ce4ce

SHA512
cf8e4c3a838b58a568639ab2778800d776e0171dc34e3b82f537adbadceaa3c292240ec7d8561b5a85df3caef6e001a07ac19e280a5bb8b0607f8ba767461479

Download Submit
C:\Windows\NvOptimizerLog\locales\en-US.pak
Filesize
85KB

MD5
6bbeeb72daebc3b0cbd9c39e820c87a9

SHA1
bd9ebec2d3fc03a2b27f128cf2660b33a3344f43

SHA256
ac1cdb4fb4d9fb27a908ed0e24cc9cc2bd885bc3ffba7e08b0b907fd4d1a8c4b

SHA512
66944fb1abcc2a7e08e5fd8a2cee53eb9da57653d7880aea226f25879e26379f7d745ebf62a3518378fa503f3a31b3ea3716f49fe4c7db4f4af0228b81b53a10

Download Submit
C:\Windows\NvOptimizerLog\resources.pak
Filesize
4.9MB

MD5
5507bc28022b806ea7a3c3bc65a1c256

SHA1
9f8d3a56fef7374c46cd3557f73855d585692b54

SHA256
367467609a389b67600628760c26732fc1a25f563f73263bc2c4bf6eec9033df

SHA512
ae698d4feacc3e908981ee44df3a9d76e42a39bf083eaf099442ace2b863f882b43232e26e2c18051ca7aec81dccef5742acc7b82fb0cda2e14086b14d5a9a26

Download Submit
C:\Windows\NvOptimizerLog\resources\app.asar
Filesize
4.6MB

MD5
040a8280b01b5a029e50c5d141d555ad

SHA1
ce103568d6ae6456f1d1d718929b6972c0bad1b4

SHA256
6b6309fe0c4ca9c73626f1435ed3332656d9e6b1e500fb85af0ebf9842813485

SHA512
6706c453509bf718d1870c98a49842743cf2e49d22225a3d33051808a3f1045c7d0c065ecafae75f1bb57b4ef4436aa76774ff6553fddf3739bc47d2e9400ce8

Download Submit
C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\libgksu2.so.0
Filesize
68KB

MD5
6dbc4226a62a578b815c4d4be3eda0d7

SHA1
eb23f90635a8366c5c992043ccf2dfb817cf6512

SHA256
0eb70bd4b911c9af7c1c78018742cadb0c5f9b6d394005eaeaa733da4b5766e5

SHA512
3a2836f712ad7048dbeb5b6eec8e163652f97bea521eafcff5c598cbedf062baefaa7079d3a614470ef99ec954dac518224cb3515ca14757721f96412443c7c4

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\ArchitectureAgnosticRegistry.vbs
Filesize
2KB

MD5
310a042dca2144c9cda556e9bc4b0c02

SHA1
d2032af7eea0dbd027a36e577567e85486496949

SHA256
caa82e59ca92629057791cb1e0ba0b74c90f561fac81b029033fc081a83431b0

SHA512
843d9f6f300caba8df41511473c43f4d5029fa0012e593677c83f196c8d595194d1409069fb4b8616e0118f37ba943bbe656b29de40f0ad70997ab610fd98db8

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\regList.wsf
Filesize
985B

MD5
cae7db4194de43346121a463596e4f4f

SHA1
f72843fa7e2a8d75616787b49f77b4380367ff26

SHA256
b65c5af7dbeb43c62f6a5528af6db3cb1ca2a71735a8e7a1451796f834e355c2

SHA512
ccee660cc4878301c743d3ebde4557dc180d8b6f77c97de5e36c95f6e4d2446ef7be28ebc787fdea2f2d817890ac7bdb713196c755a51677dc127cce77670026

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\regUtil.vbs
Filesize
7KB

MD5
77e85aa761f75466e78ce420fdf67a31

SHA1
4470bd4d215d7682828cbc5f7f64993c078b2caa

SHA256
350dea3d6c8e65372f8d12a5fd92a3a46a7519610c69564e8185a2ed66b00d59

SHA512
50af664777545ced78c34a6ea35dae542fdb85b8b307a4a4a95db25a808a695d3fe8840edb36325279c2381fbae071f6b509f7491185cef2f42afcb7672cfd13

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\util.vbs
Filesize
4KB

MD5
e2be267c02d51df566fa726fc8aa075a

SHA1
c9b9ae17f36e23d5d3cbbf2d6f17a954bfa87d24

SHA256
b2efd5e0c2f695063a8bce40c8182aa70f33c4b1b77d232b7530d89fb9646f0c

SHA512
b6f80622a9f61f636f7786d91a1b9e06a64602f0898425e90a1a696d0a4855c8c08cbd6e6b98b9a3a1a24de354b26260247953b5273f7d57ea87294b4b142e8a

Download Submit
C:\Windows\NvOptimizerLog\resources\vlc\installer.exe
Filesize
42.4MB

MD5
14becb7840eb1d3d46071d2ee65c7be8

SHA1
ff6e6f9359127f836a03dfc2b8bc9ba651c627c4

SHA256
9737843c119905be767de5e94e398be1eb145b0cc6a5a02f057d4022b80da4d8

SHA512
717289d3b514f4daa6b1cf97705c876bbe89fa215084ba8e1abeef3770e0a620d04127ef8de1f2d89477e1fab355526ed584ed3f9c7ecaf0c7d24a9bceee8248

Download Submit
C:\Windows\NvOptimizerLog\v8_context_snapshot.bin
Filesize
160KB

MD5
b64c1fc7d75234994012c86dc5af10a6

SHA1
d0d562b5735d28381d59d0d86078ff6b493a678e

SHA256
31c3aa5645b5487bf484fd910379003786523f3063e946ef9b50d257d0ee5790

SHA512
6218fcb74ef715030a2dd718c87b32f41e976dd4ce459c54a45341ee0f5ca5c927ad507d3afcffe7298b989e969885ed7fb72030ea59387609e8bd5c4b8eb60a

Download Submit
\??\pipe\crashpad_4672_TQPKKWRZJBQLUUXN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/672-979-0x00007FF980F40000-0x00007FF981A01000-memory.dmp

Filesize
10.8MB

Download
memory/672-994-0x00007FF980F40000-0x00007FF981A01000-memory.dmp

Filesize
10.8MB

Download
memory/672-980-0x000002AEE52C0000-0x000002AEE52D0000-memory.dmp

Filesize
64KB

Download
memory/672-981-0x000002AEE52C0000-0x000002AEE52D0000-memory.dmp

Filesize
64KB

Download
memory/672-986-0x000002AEE52C0000-0x000002AEE52D0000-memory.dmp

Filesize
64KB

Download
memory/924-527-0x00007FF97FBA0000-0x00007FF980661000-memory.dmp

Filesize
10.8MB

Download
memory/924-525-0x00000211E8DE0000-0x00000211E8DF0000-memory.dmp

Filesize
64KB

Download
memory/924-524-0x00000211E8DE0000-0x00000211E8DF0000-memory.dmp

Filesize
64KB

Download
memory/924-514-0x00007FF97FBA0000-0x00007FF980661000-memory.dmp

Filesize
10.8MB

Download
memory/1188-1070-0x00000163270B0000-0x00000163270C0000-memory.dmp

Filesize
64KB

Download
memory/1188-1069-0x00007FF980430000-0x00007FF980EF1000-memory.dmp

Filesize
10.8MB

Download
memory/1188-1082-0x00007FF980430000-0x00007FF980EF1000-memory.dmp

Filesize
10.8MB

Download
memory/1308-538-0x00007FF97FBA0000-0x00007FF980661000-memory.dmp

Filesize
10.8MB

Download
memory/1308-539-0x000001F878860000-0x000001F878870000-memory.dmp

Filesize
64KB

Download
memory/1308-543-0x00007FF97FBA0000-0x00007FF980661000-memory.dmp

Filesize
10.8MB

Download
memory/1532-1084-0x00000232DE0C0000-0x00000232DE0D0000-memory.dmp

Filesize
64KB

Download
memory/1532-1098-0x00007FF9804E0000-0x00007FF980FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1532-1083-0x00007FF9804E0000-0x00007FF980FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1532-1090-0x00000232DE0C0000-0x00000232DE0D0000-memory.dmp

Filesize
64KB

Download
memory/1536-461-0x0000017652100000-0x0000017652110000-memory.dmp

Filesize
64KB

Download
memory/1536-471-0x00007FF97FBA0000-0x00007FF980661000-memory.dmp

Filesize
10.8MB

Download
memory/1536-444-0x00000176520D0000-0x00000176520F2000-memory.dmp

Filesize
136KB

Download
memory/1536-464-0x0000017652790000-0x00000176527B4000-memory.dmp

Filesize
144KB

Download
memory/1536-463-0x0000017652790000-0x00000176527BA000-memory.dmp

Filesize
168KB

Download
memory/1536-457-0x0000017652810000-0x0000017652886000-memory.dmp

Filesize
472KB

Download
memory/1536-449-0x00007FF97FBA0000-0x00007FF980661000-memory.dmp

Filesize
10.8MB

Download
memory/1536-453-0x0000017652740000-0x0000017652784000-memory.dmp

Filesize
272KB

Download
memory/1536-455-0x0000017652100000-0x0000017652110000-memory.dmp

Filesize
64KB

Download
memory/1756-484-0x000001CB4EE60000-0x000001CB4EE70000-memory.dmp

Filesize
64KB

Download
memory/1756-482-0x00007FF97FBA0000-0x00007FF980661000-memory.dmp

Filesize
10.8MB

Download
memory/1756-488-0x00007FF97FBA0000-0x00007FF980661000-memory.dmp

Filesize
10.8MB

Download
memory/1756-485-0x000001CB4EE60000-0x000001CB4EE70000-memory.dmp

Filesize
64KB

Download
memory/1932-930-0x00007FF980F40000-0x00007FF981A01000-memory.dmp

Filesize
10.8MB

Download
memory/1932-931-0x000001ED66000000-0x000001ED66010000-memory.dmp

Filesize
64KB

Download
memory/1932-950-0x00007FF980F40000-0x00007FF981A01000-memory.dmp

Filesize
10.8MB

Download
memory/1932-932-0x000001ED66000000-0x000001ED66010000-memory.dmp

Filesize
64KB

Download
memory/2188-443-0x0000000074EC0000-0x0000000074EC9000-memory.dmp

Filesize
36KB

Download
memory/2188-437-0x0000000074ED0000-0x0000000074EDE000-memory.dmp

Filesize
56KB

Download
memory/2188-890-0x0000000074EC0000-0x0000000074ECB000-memory.dmp

Filesize
44KB

Download
memory/2188-891-0x0000000074870000-0x000000007487C000-memory.dmp

Filesize
48KB

Download
memory/2188-436-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2188-888-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2260-1065-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2604-1105-0x000002DFF1420000-0x000002DFF144B000-memory.dmp

Filesize
172KB

Download
memory/2868-506-0x0000023AAD0B0000-0x0000023AAD0C0000-memory.dmp

Filesize
64KB

Download
memory/2868-510-0x00007FF97FBA0000-0x00007FF980661000-memory.dmp

Filesize
10.8MB

Download
memory/2868-505-0x0000023AAD0B0000-0x0000023AAD0C0000-memory.dmp

Filesize
64KB

Download
memory/2868-504-0x0000023AAD0B0000-0x0000023AAD0C0000-memory.dmp

Filesize
64KB

Download
memory/2868-503-0x00007FF97FBA0000-0x00007FF980661000-memory.dmp

Filesize
10.8MB

Download
memory/2968-435-0x0000020BAE360000-0x0000020BAE38B000-memory.dmp

Filesize
172KB

Download
memory/2968-367-0x00007FF9A0A70000-0x00007FF9A0A71000-memory.dmp

Filesize
4KB

Download
memory/3008-1123-0x00007FF9804E0000-0x00007FF980FA1000-memory.dmp

Filesize
10.8MB

Download
memory/3008-1133-0x000001FD6EE60000-0x000001FD6EE70000-memory.dmp

Filesize
64KB

Download
memory/3008-1134-0x000001FD6EE60000-0x000001FD6EE70000-memory.dmp

Filesize
64KB

Download
memory/3008-1137-0x00007FF9804E0000-0x00007FF980FA1000-memory.dmp

Filesize
10.8MB

Download
memory/4260-1058-0x00007FF980430000-0x00007FF980EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4260-1068-0x00007FF980430000-0x00007FF980EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4260-1059-0x000001D4E8DF0000-0x000001D4E8E00000-memory.dmp

Filesize
64KB

Download
memory/5220-964-0x00007FF980F40000-0x00007FF981A01000-memory.dmp

Filesize
10.8MB

Download
memory/5220-951-0x00007FF980F40000-0x00007FF981A01000-memory.dmp

Filesize
10.8MB

Download
memory/5220-961-0x00000259CD000000-0x00000259CD010000-memory.dmp

Filesize
64KB

Download
memory/5388-970-0x0000022018620000-0x000002201864B000-memory.dmp

Filesize
172KB

Download
memory/5668-1352-0x00007FF97D7E0000-0x00007FF97E2A1000-memory.dmp

Filesize
10.8MB

Download
memory/5668-1366-0x00007FF97D7E0000-0x00007FF97E2A1000-memory.dmp

Filesize
10.8MB

Download
memory/5668-1363-0x00000217EC100000-0x00000217EC2C2000-memory.dmp

Filesize
1.8MB

Download
memory/5668-1353-0x00000217EBAA0000-0x00000217EBAB0000-memory.dmp

Filesize
64KB

Download
memory/6088-1115-0x00007FF9804E0000-0x00007FF980FA1000-memory.dmp

Filesize
10.8MB

Download
memory/6088-1120-0x00007FF9804E0000-0x00007FF980FA1000-memory.dmp

Filesize
10.8MB

Download
memory/6088-1116-0x0000023DE8670000-0x0000023DE8680000-memory.dmp

Filesize
64KB

Download
memory/6088-1118-0x0000023DE8670000-0x0000023DE8680000-memory.dmp

Filesize
64KB

Download
memory/6088-1117-0x0000023DE8670000-0x0000023DE8680000-memory.dmp

Filesize
64KB

Download
memory/6092-973-0x0000000074EC0000-0x0000000074ECB000-memory.dmp

Filesize
44KB

Download
memory/6092-1008-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/6092-1011-0x0000000074870000-0x000000007487C000-memory.dmp

Filesize
48KB

Download
memory/6092-971-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download