21be0a068d7d1b57578bfb2ed850b3f3b1cfe4a4c47981ead95abdb8c20278fe

Resubmissions

02-05-2024 13:12

240502-qfqr8abg26 5

02-05-2024 13:06

240502-qb8ggahe7t 5

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup-v-b5xa3Su.exe
Size

704KB
MD5

d1fc9e6d71a4867ab71af5566e525ba0
SHA1

593b10280a926134839feb8e2f9d0da9ee9c0593
SHA256

21be0a068d7d1b57578bfb2ed850b3f3b1cfe4a4c47981ead95abdb8c20278fe
SHA512

c82a23e5e0e3a38e32fc08401890852a71ec90640bbfb944ed7d45812493a53d2be2c0e4373692e52c77d666b8ae72cd0d15c3dc4bc3cc52887ad4589820658d
SSDEEP

12288:iOIVD3gyucpjRKaDPNKT1zH3ptaR1sDfOQSvJqFZ6rOIIzVFA4+M:iOIyyuUjMaDu173pG1szLSvJwSOZBv

Score

5^/10

discovery execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VLC.exeVLC.exeVLC.execmd.exeVLC.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	VLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	VLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	VLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	VLC.exe

Drops file in System32 directory 1 IoCs

Processes:

VLC.exe

description ioc process

File created C:\Windows\System32\NvWinSearchOptimizer.ps1 VLC.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
File created	C:\Windows\System32\NvWinSearchOptimizer.ps1	VLC.exe

Drops file in Windows directory 64 IoCs

Processes:

Setup-v-b5xa3Su.exe

description	ioc	process
File created	C:\Windows\NvOptimizerLog\LICENSE.electron.txt	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\vi.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\LICENSE	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\PkgInfo	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\lib\sudoer.js	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\elevate.exe	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\icudtl.dat	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources\description.rtfd	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\ml.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\sl.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Info.plist	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources\applet.rsrc	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\package.json	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\Elevate.vcproj	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\pl.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\snapshot_blob.bin	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\assets	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\ja.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\te.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\Elevate.vcxproj.filters	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\icudtl.dat	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\ko.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\lt.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\cs.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\id.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\webpack\chmod.js	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regDeleteKey.wsf	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\gu.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\lt.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\vi.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regUtil.vbs	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\he.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\it.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\ko.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources\applet.icns	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\libgksu2.so.0	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\ms.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\sw.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources\applet.rsrc	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\resource.h	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regPutValue.wsf	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\fa.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\sv.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\zh-CN.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\Info.plist	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\lib\sudoer.js	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regListStream.wsf	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\MacOS	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\bg.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\fi.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\libgksu2.so.0.0.2	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\LICENSE.electron.txt	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\kn.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\locales\ms.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\zh-TW.pak	Setup-v-b5xa3Su.exe
File created	C:\Windows\NvOptimizerLog\d3dcompiler_47.dll	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\swiftshader	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\id.pak	Setup-v-b5xa3Su.exe
File opened for modification	C:\Windows\NvOptimizerLog\d3dcompiler_47.dll	Setup-v-b5xa3Su.exe

Executes dropped EXE 10 IoCs

Processes:

VLC.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exe

pid process

4208 VLC.exe
4664 VLC.exe
4064 VLC.exe
2740 VLC.exe
1460 installer.exe
4052 VLC.exe
5860 VLC.exe
3412 VLC.exe
4516 installer.exe
2808 VLC.exe

pid	process
4208	VLC.exe
4664	VLC.exe
4064	VLC.exe
2740	VLC.exe
1460	installer.exe
4052	VLC.exe
5860	VLC.exe
3412	VLC.exe
4516	installer.exe
2808	VLC.exe

Loads dropped DLL 32 IoCs

Processes:

Setup-v-b5xa3Su.exeVLC.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exeVLC.exeVLC.exeVLC.exeinstaller.exe

pid	process
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
4208	VLC.exe
4664	VLC.exe
4664	VLC.exe
4664	VLC.exe
4664	VLC.exe
4064	VLC.exe
2740	VLC.exe
1460	installer.exe
1460	installer.exe
1460	installer.exe
1460	installer.exe
4052	VLC.exe
5860	VLC.exe
3412	VLC.exe
5860	VLC.exe
5860	VLC.exe
5860	VLC.exe
2808	VLC.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1924	powershell.exe
6100	powershell.exe
1464	powershell.exe
2844	powershell.exe
1120	powershell.exe
2376	powershell.exe
1148	powershell.exe
4480	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2736 schtasks.exe
3304 schtasks.exe

pid	process
2736	schtasks.exe
3304	schtasks.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4296 systeminfo.exe

pid	process
4296	systeminfo.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591290149637926"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

Setup-v-b5xa3Su.exeVLC.exeVLC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinstaller.exemsedge.exemsedge.exechrome.exechrome.exeVLC.exeVLC.exepowershell.exepowershell.exepowershell.exeinstaller.exe

pid	process
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
936	Setup-v-b5xa3Su.exe
4064	VLC.exe
4064	VLC.exe
2740	VLC.exe
2740	VLC.exe
2844	powershell.exe
2844	powershell.exe
1120	powershell.exe
1120	powershell.exe
2376	powershell.exe
2376	powershell.exe
1148	powershell.exe
1148	powershell.exe
1148	powershell.exe
4480	powershell.exe
4480	powershell.exe
1460	installer.exe
1460	installer.exe
1460	installer.exe
1460	installer.exe
2360	msedge.exe
2360	msedge.exe
3392	msedge.exe
3392	msedge.exe
4032	chrome.exe
4032	chrome.exe
1460	installer.exe
1460	installer.exe
1460	installer.exe
1460	installer.exe
1460	installer.exe
5660	chrome.exe
5660	chrome.exe
3412	VLC.exe
3412	VLC.exe
2808	VLC.exe
2808	VLC.exe
1924	powershell.exe
1924	powershell.exe
1924	powershell.exe
6100	powershell.exe
6100	powershell.exe
6100	powershell.exe
1464	powershell.exe
1464	powershell.exe
1464	powershell.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exechrome.exechrome.exe

pid process

3392 msedge.exe
3392 msedge.exe
4032 chrome.exe
4032 chrome.exe
3392 msedge.exe
4032 chrome.exe
5660 chrome.exe
5660 chrome.exe
5660 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Setup-v-b5xa3Su.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeSecurityPrivilege	936	Setup-v-b5xa3Su.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeIncreaseQuotaPrivilege	2844	powershell.exe
Token: SeSecurityPrivilege	2844	powershell.exe
Token: SeTakeOwnershipPrivilege	2844	powershell.exe
Token: SeLoadDriverPrivilege	2844	powershell.exe
Token: SeSystemProfilePrivilege	2844	powershell.exe
Token: SeSystemtimePrivilege	2844	powershell.exe
Token: SeProfSingleProcessPrivilege	2844	powershell.exe
Token: SeIncBasePriorityPrivilege	2844	powershell.exe
Token: SeCreatePagefilePrivilege	2844	powershell.exe
Token: SeBackupPrivilege	2844	powershell.exe
Token: SeRestorePrivilege	2844	powershell.exe
Token: SeShutdownPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeSystemEnvironmentPrivilege	2844	powershell.exe
Token: SeRemoteShutdownPrivilege	2844	powershell.exe
Token: SeUndockPrivilege	2844	powershell.exe
Token: SeManageVolumePrivilege	2844	powershell.exe
Token: 33	2844	powershell.exe
Token: 34	2844	powershell.exe
Token: 35	2844	powershell.exe
Token: 36	2844	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeIncreaseQuotaPrivilege	1120	powershell.exe
Token: SeSecurityPrivilege	1120	powershell.exe
Token: SeTakeOwnershipPrivilege	1120	powershell.exe
Token: SeLoadDriverPrivilege	1120	powershell.exe
Token: SeSystemProfilePrivilege	1120	powershell.exe
Token: SeSystemtimePrivilege	1120	powershell.exe
Token: SeProfSingleProcessPrivilege	1120	powershell.exe
Token: SeIncBasePriorityPrivilege	1120	powershell.exe
Token: SeCreatePagefilePrivilege	1120	powershell.exe
Token: SeBackupPrivilege	1120	powershell.exe
Token: SeRestorePrivilege	1120	powershell.exe
Token: SeShutdownPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeSystemEnvironmentPrivilege	1120	powershell.exe
Token: SeRemoteShutdownPrivilege	1120	powershell.exe
Token: SeUndockPrivilege	1120	powershell.exe
Token: SeManageVolumePrivilege	1120	powershell.exe
Token: 33	1120	powershell.exe
Token: 34	1120	powershell.exe
Token: 35	1120	powershell.exe
Token: 36	1120	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeIncreaseQuotaPrivilege	2376	powershell.exe
Token: SeSecurityPrivilege	2376	powershell.exe
Token: SeTakeOwnershipPrivilege	2376	powershell.exe
Token: SeLoadDriverPrivilege	2376	powershell.exe
Token: SeSystemProfilePrivilege	2376	powershell.exe
Token: SeSystemtimePrivilege	2376	powershell.exe
Token: SeProfSingleProcessPrivilege	2376	powershell.exe
Token: SeIncBasePriorityPrivilege	2376	powershell.exe
Token: SeCreatePagefilePrivilege	2376	powershell.exe
Token: SeBackupPrivilege	2376	powershell.exe
Token: SeRestorePrivilege	2376	powershell.exe
Token: SeShutdownPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeSystemEnvironmentPrivilege	2376	powershell.exe
Token: SeRemoteShutdownPrivilege	2376	powershell.exe
Token: SeUndockPrivilege	2376	powershell.exe
Token: SeManageVolumePrivilege	2376	powershell.exe
Token: 33	2376	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exechrome.exe

pid	process
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exechrome.exe

pid	process
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

VLC.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exeVLC.exeVLC.exeinstaller.exeVLC.exe

pid process

4208 VLC.exe
4664 VLC.exe
4064 VLC.exe
2740 VLC.exe
1460 installer.exe
4052 VLC.exe
5860 VLC.exe
3412 VLC.exe
4516 installer.exe
2808 VLC.exe

pid	process
4208	VLC.exe
4664	VLC.exe
4064	VLC.exe
2740	VLC.exe
1460	installer.exe
4052	VLC.exe
5860	VLC.exe
3412	VLC.exe
4516	installer.exe
2808	VLC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VLC.exeVLC.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4664	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4064	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 4064	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 2740	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 2740	4208	VLC.exe	VLC.exe
PID 4208 wrote to memory of 1460	4208	VLC.exe	installer.exe
PID 4208 wrote to memory of 1460	4208	VLC.exe	installer.exe
PID 4208 wrote to memory of 1460	4208	VLC.exe	installer.exe
PID 2740 wrote to memory of 1792	2740	VLC.exe	cmd.exe
PID 2740 wrote to memory of 1792	2740	VLC.exe	cmd.exe
PID 1792 wrote to memory of 2620	1792	cmd.exe	chcp.com
PID 1792 wrote to memory of 2620	1792	cmd.exe	chcp.com
PID 2740 wrote to memory of 2844	2740	VLC.exe	powershell.exe
PID 2740 wrote to memory of 2844	2740	VLC.exe	powershell.exe
PID 2740 wrote to memory of 1120	2740	VLC.exe	powershell.exe
PID 2740 wrote to memory of 1120	2740	VLC.exe	powershell.exe
PID 2740 wrote to memory of 2376	2740	VLC.exe	powershell.exe
PID 2740 wrote to memory of 2376	2740	VLC.exe	powershell.exe
PID 2740 wrote to memory of 4876	2740	VLC.exe	cmd.exe
PID 2740 wrote to memory of 4876	2740	VLC.exe	cmd.exe
PID 4876 wrote to memory of 2736	4876	cmd.exe	schtasks.exe
PID 4876 wrote to memory of 2736	4876	cmd.exe	schtasks.exe
PID 2740 wrote to memory of 1684	2740	VLC.exe	cmd.exe
PID 2740 wrote to memory of 1684	2740	VLC.exe	cmd.exe
PID 1684 wrote to memory of 1148	1684	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Setup-v-b5xa3Su.exe
"C:\Users\Admin\AppData\Local\Temp\Setup-v-b5xa3Su.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=gpu-process --field-trial-handle=1568,1841564947072181442,18079114339511773424,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1576 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1568,1841564947072181442,18079114339511773424,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2060 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=renderer --field-trial-handle=1568,1841564947072181442,18079114339511773424,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Windows\NvOptimizerLog\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1
2⤵
- Checks computer location settings
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
3⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\chcp.com
chcp
4⤵
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 13:13"
3⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\system32\schtasks.exe
SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 13:13
4⤵
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
3⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ExecutionPolicy"
3⤵
PID:540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ExecutionPolicy
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "systeminfo"
3⤵
PID:4852

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:4296

C:\Windows\system32\cscript.exe
cscript.exe
3⤵
PID:4896

C:\Windows\system32\cscript.exe
cscript.exe //Nologo resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\NvOptimizer
3⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start chrome "https://mediatrackerr.com/track-install?s=vlc&u=1312d364-c068-4270-8316-eb07bd425297&f=Setup-v-b5xa3Su.exe""
3⤵
- Checks computer location settings
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://mediatrackerr.com/track-install?s=vlc&u=1312d364-c068-4270-8316-eb07bd425297&f=Setup-v-b5xa3Su.exe"
4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7fff04e3ab58,0x7fff04e3ab68,0x7fff04e3ab78
5⤵
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=2044,i,8078093611105278118,9729022745268314574,131072 /prefetch:2
5⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2044,i,8078093611105278118,9729022745268314574,131072 /prefetch:8
5⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=2044,i,8078093611105278118,9729022745268314574,131072 /prefetch:8
5⤵
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=2044,i,8078093611105278118,9729022745268314574,131072 /prefetch:1
5⤵
PID:3928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=2044,i,8078093611105278118,9729022745268314574,131072 /prefetch:1
5⤵
PID:3388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=2044,i,8078093611105278118,9729022745268314574,131072 /prefetch:1
5⤵
PID:5496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=2044,i,8078093611105278118,9729022745268314574,131072 /prefetch:8
5⤵
PID:6012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=2044,i,8078093611105278118,9729022745268314574,131072 /prefetch:8
5⤵
PID:6060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=2044,i,8078093611105278118,9729022745268314574,131072 /prefetch:8
5⤵
PID:6124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mediatrackerr.com/track-install?s=vlc&u=1312d364-c068-4270-8316-eb07bd425297&f=Setup-v-b5xa3Su.exe
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff16cc46f8,0x7fff16cc4708,0x7fff16cc4718
4⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6908953618550800656,16227458604729018735,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
4⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6908953618550800656,16227458604729018735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6908953618550800656,16227458604729018735,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
4⤵
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6908953618550800656,16227458604729018735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
4⤵
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6908953618550800656,16227458604729018735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
4⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6908953618550800656,16227458604729018735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
4⤵
PID:5440

C:\Windows\NvOptimizerLog\resources\vlc\installer.exe
resources/vlc/installer.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4396

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff04e3ab58,0x7fff04e3ab68,0x7fff04e3ab78
2⤵
PID:5624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1980,i,12494822520815226241,15656252964247929999,131072 /prefetch:2
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1980,i,12494822520815226241,15656252964247929999,131072 /prefetch:8
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1980,i,12494822520815226241,15656252964247929999,131072 /prefetch:8
2⤵
PID:5760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1980,i,12494822520815226241,15656252964247929999,131072 /prefetch:1
2⤵
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1980,i,12494822520815226241,15656252964247929999,131072 /prefetch:1
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1980,i,12494822520815226241,15656252964247929999,131072 /prefetch:1
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1980,i,12494822520815226241,15656252964247929999,131072 /prefetch:8
2⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1980,i,12494822520815226241,15656252964247929999,131072 /prefetch:8
2⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1980,i,12494822520815226241,15656252964247929999,131072 /prefetch:8
2⤵
PID:5252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=1980,i,12494822520815226241,15656252964247929999,131072 /prefetch:8
2⤵
PID:5160

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1652

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4052

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=gpu-process --field-trial-handle=1576,5714894661195688091,6133674831539301530,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1584 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5860

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,5714894661195688091,6133674831539301530,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2128 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3412

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=renderer --field-trial-handle=1576,5714894661195688091,6133674831539301530,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Windows\NvOptimizerLog\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
3⤵
PID:4376

C:\Windows\system32\chcp.com
chcp
4⤵
PID:1520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:6100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 13:13"
3⤵
PID:868

C:\Windows\system32\schtasks.exe
SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 13:13
4⤵
- Creates scheduled task(s)
PID:3304

C:\Windows\NvOptimizerLog\resources\vlc\installer.exe
resources/vlc/installer.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
de3d0f8ed315edbf797fc100f00e8c1e

SHA1
2749b127923e94734ec0d89834c41f0465b54b2d

SHA256
7467a4cfbde2ca2287d4b640b9c2af7ea43d14ee91d620bb21db35851daba665

SHA512
f5afbef2282142cffee3c8f096331392379ab46adb6fb145b0d1ed416ac245eabd5c77f994d414cd7e6d3ca592cda58fd705f52333782d30da8597f5d46b773c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
ed5272b7e48a35a08998a9d18128448b

SHA1
43ecca9616739ae2ded2a0fbb51e85d30627c43d

SHA256
4ac88fbae747d1c890bf9f9a2484476daa975f1d12db134c88f0f0dd47934f48

SHA512
380958525887fd01a642f7a7b3e9f91910ec6fbd84fcdae086f1d64bec92ba752f67f320b7054e5cbf11596fa6057a5c0f61ecbf260610061e7d06631c256d9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
b012faee91407ce85c625c3793b7ae5d

SHA1
4c39babceb008429279d4ad06bb6e73d4d721451

SHA256
c3dc84d3c1e5e2d1bbf1970225273afdc06a477d658a1ea6b5586f1e22f450b9

SHA512
0cce082c229760c1b1523e1e0e960a3520247d9bda5800f422cb5e9b98a97247fed6e5c60d123a467846fa1c10368c8dab719156ebdcf9d3acced375393314d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
d0df793c4e281659228b2837846ace2d

SHA1
ece0a5b1581f86b175ccbc7822483448ec728077

SHA256
4e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9

SHA512
400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8aac923f-1f9c-41de-9bb9-d3d6b880c168.tmp
Filesize
7KB

MD5
e599b3a362e7bac135119fa10f1d6058

SHA1
5c35873d9eead67dfb54957269449f110608ece9

SHA256
ed83db1e12daaec6c39cd2b8d5e028f81d6d10e7aed299a751a55dc5a8e0ed88

SHA512
fce607d61d020ae116b3f5a3a46ef31f18f61e92218200dc9abe1a41a7f2a7214994992bbef7d5912678f20408bf436243dece6ea59616bd5380abe7832da4be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
312B

MD5
0c81817158f089966a75d0568d459e46

SHA1
9a33e48a4a49ceff98b6591ed304815f9f4b9f32

SHA256
a235c735d2286bebdf24f2519996ccbae561fc98390370303ace0eb74b1159b5

SHA512
fe5f23201c70162386fd872f433174b981b6e9edc816037c168d3a16a96f49a65da07738c9dc6ac4ebdd892ee7bb6fc0074fce542389e0fe4453738d89449b18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
7fc81cad8439c4c1e9a8c6e79200592c

SHA1
9e19c66049e4c4592fa4452e0ba21053206e6bde

SHA256
b2e0ed24b0bc91750352f9dcfc4fe37268e172bbe3defa1f14bd5ed94f16d0a5

SHA512
bb4447278c96766fa008c543bf1c24b19f07b97e7a1c93b71c9abaa043d65ff51c1b01380dc7cfe54f82014996a2f2280563ede3a64922e4e2502d606e9c3714

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
522B

MD5
458acfd6be8cc7f80a088b41bb12fc39

SHA1
c2e320e6e24ae0194cb793d67cd5d6f9ffa6b2c3

SHA256
a86291b6bdf350a86aebdec5b83c46306044bd574e74d31cb421c8f219687b43

SHA512
8fad6f9f326be318d865071bfe09b6bfaa40339be879ab4e7423636f08812c5f6cc8eafdda7489533412dcf4489edf069c683a1ae7a94ac269ed39d6d73bfe88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
522B

MD5
8e6f1502ef0553b32a58e6f51526c194

SHA1
926da8aa1815efb8ba0792db9a065fa76f1a1b8d

SHA256
7d0c7ce3125415156f298175c5482d1a7fa7573ba2be5faddec2c1078b4ad075

SHA512
b58c0a801268d21f5dce94dc1778c12931f74411bd6e8057f502f7b956ce5bb65085c12074dde7faba5dbc4ed9abc85be6de1a88ca0548bea39ae310a561cbab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
0653ffebfa4553f698b5cfd9edb9a7e4

SHA1
b67fc0e7cb820d01e0297df396acf6eb45d3099d

SHA256
5244bc50dad382e8e4ab8a1acaf4098a096a7891edc4d4a992b578c330e9ea8b

SHA512
5908f24070e5b296a7bfdcaa7cd211e7e58600dbac5729bf5b304a81aedbe46c0725906a7e9301d60c4de012e4ffcdb90c812109b532db881d81d811e1d71f96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e628c34f8d51e45d496f697747a95cd0

SHA1
5e13a56755b760daa58a8c356bee8d5ce058a424

SHA256
6e28ebe19cf6ce36f3003d78c5ef3f69159bf59f4130da087d11d6a224b5b179

SHA512
b1527cce79dfd52d61254c195ffeb734f84dc65de0a0577a3b6d4e02f301df259803f2672ac0f7ac74132b570192c8005fde6e8b58907133539689182fd0599d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
027a1fb34dea9daf6a22880feabd771e

SHA1
fff140ae21e973c8739714175dac593e10b0164c

SHA256
7fbbde11077b50172e769d1296219f7b4609e53e38a38e6b7a7cb9ac774c4826

SHA512
a74534fc8a8ae154f5608005e7127ce403e1a30f98615fe8dc57b63a09aaad9a49d3cf8884accb6b1a0e569e0579bea9d5dd2f0235b35db5e03fcb13fa824c7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
b675b4cf841402d107e801124194d6db

SHA1
a32c23875df1dc18698a46fd9b6e1926ce53f1eb

SHA256
9646cad822899ed7b6b48c16ea237f6e3ec6ca4144aae1ca0cd8c2f42aac2aa4

SHA512
f50e3153f124eff8843c8662efe02861b943cf83c59df364a45b792066d5bc8292ebe5e56b4eb2ef692da150131257fe3bded772b2696040c9a360eac0a9eb97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d7f00fc0-d7d2-4779-b9ee-de3f935c65ce.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
dbc8f87c3abd97f384b8f30910aa2f9e

SHA1
881d3aa3f6bcfa33ab5b9a7b3f189146c707b9b4

SHA256
36188ae02a9cb3c124d3948a223fa8800bca331247abc3dd1de9788f800f4d5a

SHA512
df4b889ee393dde0e5fd14ed00f1c4eb8fe5f0fedeac5cea0e019a2e31aa532c65866343e75eb152c76130aec003aceeab974a5390d88096d6ecfd92771a2df7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
29740d56f4b4d2effec6354373e35cc3

SHA1
69f0334a8c72cd5779046932a7fb910e0171d742

SHA256
e4cf9f2e764dbf1334d2b651c6d781ddf22e75f07fd93b8f106e6a795d071b5b

SHA512
900c3c54004f5c36be9a5cab5440bfca2324104b2d5cb145e0172b9ccfcc84ae1e736cb595be0100ba52b64c1319d5132f1cfc9d8a26ec07ad85f23696c9721b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
129KB

MD5
9a48c755713c9e31715f8d07aa07238d

SHA1
080acd99b25d5ccc149edd226c901a4da88a3088

SHA256
2407011596d32450fcdc41574391352d582791574c4830adb4b7424e74c98fea

SHA512
1feb24543fa8d5b5675dc80c3969fe6b61e4e36781b7f1b7c97ac1f5a0890222ea54ca6306251b205393c34fceef208de335eced49e9c45070f4ebe58d3c1f25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
6a6efec205d35cb8f7822c16e1ad3efa

SHA1
e7d25f103a957b683b85eea4ae58b0fbd00efa8f

SHA256
842521b1711951ee3ed4fd06c6badf5d6eaa275ab9b0dd7e36e36d582fb93f0f

SHA512
46104d25321961d44dc589ee6f093dc806f5b46481a1968b18503cfc9760fac2ec7c7928035f24656fab72e4e0bedaa84d164c33b415b11c37be1f75f29f5042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2c740484a9982f17ace7f99d86fe93a5

SHA1
a7caffe83124d859e541c3742073e1f4e8929136

SHA256
a9cac9f9967607ec24a8908613bcbd15b9c15ff8f5821e956d700bfb63d38d76

SHA512
a4f2f41a89cad124b754cb2660b94a1abfff8ff01cc42289f80d4b3521a8b2df45c28cbf80a29d2541cb20d44ad61309615fe98e2977ba8cd62f277b7f34a638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7608bba5c46b8fd6251d416b16c1c981

SHA1
5baf8d51ee5e14893c1b95435862cc53007fb028

SHA256
a9ba298cdfd088b78785acb190056366cc1fd7fb9c258e0aaba376971941012a

SHA512
a9ad45ed4522bcf8ddfcad6f6c04a852766f067e972d6e4728f3750f19707cf20ff5a11d451556f44cb7989663d0307a8497a39ff65e43ee614a273337b8c5f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6754929feb921a8449638b41a04e12e6

SHA1
0bc60f80194f180021114e93ca28f7dfba8ab8c7

SHA256
d7a12d8a499ec84dfe4d181864d145b72bdf8df01c37b87a41e675914d382ecb

SHA512
f14c5127c87df13856d30cf604607b4b060427f4b46f257c38eec80625d4d238a17099f0a165e8c58e5b46520b4c4efe0aa3e7d4c2c4e47ea8fa593ab883bb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b6cda0999d78b3150098345ecb1ea769

SHA1
e0732cc40092277257fc4d7ea08741b36c6d1e3a

SHA256
f73cbe25f5d1adddf4038e40e7e2283def8d006fd23c7bd3d0158c33d70ac068

SHA512
5b9d82371436e99b77349e1b5aa462c3629982498cf8cded42198e6afcd4b90f98e054232d5eed69432fffc8489957dd6737a25665b836006976b6f203ea939d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d72dca5b6b47eb4f1fad90ce9e0938f4

SHA1
e568c7868e6e817b9780dc31924b1a9fa4b432cd

SHA256
51e654f8a98f2d416b844cffc764cf3a4c69943b83ffa58618af997057d6ad0a

SHA512
cf5e99f50a63a45ea78e33580ea27b927977b0ce7ecb1e9f210e5a0d1f18486a277d9765150e60336ae66dc44621f65cdb5d3259d988891d0e3a2ff9334b3be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
992c0be3a30ef0030b622b495119719d

SHA1
70179ba444e9c499dd669f84788020be6f71aeb3

SHA256
6860019c49a878d7b0639673dd08d6e4c1b8bb629050304cdc24203d5220cbcd

SHA512
116ede2125511c30ab22fdd752e9b7ce42ccd7b0ba5c168bcd64314cafff229c6fe28ddbf84cc775a98bf0286827a7589c878f40b6bda9a45d04b1af56eeaee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45acnlga.q2w.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4E6F.tmp\INetC.dll
Filesize
238KB

MD5
38caa11a462b16538e0a3daeb2fc0eaf

SHA1
c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

SHA256
ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

SHA512
777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4E6F.tmp\SpiderBanner.dll
Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4E6F.tmp\StdUtils.dll
Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4E6F.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4E6F.tmp\WinShell.dll
Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4E6F.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4E6F.tmp\nsis7z.dll
Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy67EE.tmp\LangDLL.dll
Filesize
7KB

MD5
20850d4d5416fbfd6a02e8a120f360fc

SHA1
ac34f3a34aaa4a21efd6a32bc93102639170e219

SHA256
860b409b065b747aab2a9937f02d08b6fd7309993b50d8e4b53983c8c2b56b61

SHA512
c8048b9ae0ced72a384c5ab781083a76b96ae08d5c8a5c7797f75a7e54e9cd9192349f185ee88c9cf0514fc8d59e37e01d88b9c8106321c0581659ebe1d1c276

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy67EE.tmp\System.dll
Filesize
26KB

MD5
4f25d99bf1375fe5e61b037b2616695d

SHA1
958fad0e54df0736ddab28ff6cb93e6ed580c862

SHA256
803931797d95777248dee4f2a563aed51fe931d2dd28faec507c69ed0f26f647

SHA512
96a8446f322cd62377a93d2088c0ce06087da27ef95a391e02c505fb4eb1d00419143d67d89494c2ef6f57ae2fd7f049c86e00858d1b193ec6dde4d0fe0e3130

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy67EE.tmp\nsDialogs.dll
Filesize
12KB

MD5
2029c44871670eec937d1a8c1e9faa21

SHA1
e8d53b9e8bc475cc274d80d3836b526d8dd2747a

SHA256
a4ae6d33f940a80e8fe34537c5cc1f8b8679c979607969320cfb750c15809ac2

SHA512
6f151c9818ac2f3aef6d4cabd8122c7e22ccf0b84fa5d4bcc951f8c3d00e8c270127eac1e9d93c5f4594ac90de8aff87dc6e96562f532a3d19c0da63a28654b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy67EE.tmp\nsProcess.dll
Filesize
35KB

MD5
764371d831841fe57172aa830d22149d

SHA1
680e20e9b98077dea32b083b5c746d8de35e0584

SHA256
93df9e969053ca77c982c6e52b7f2898d22777a8c50274b54303eaa0ef5ccded

SHA512
19076205eba08df978ad17f8176d3a5a17c4ea684460894b6a80cae7e48fcae5e9493ff745d88d62fd44fc17bcda838570add6c38bebe4962d575f060f1584f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\5af7b7e7-f957-4b12-af6f-4eb9e9e51f9a.tmp
Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Network Persistent State~RFe58c54f.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Session Storage\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Windows\NvOptimizerLog\chrome_100_percent.pak
Filesize
123KB

MD5
a59ea69d64bf4f748401dc5a46a65854

SHA1
111c4cc792991faf947a33386a5862e3205b0cff

SHA256
f1a935db8236203cbc1dcbb9672d98e0bd2fa514429a3f2f82a26e0eb23a4ff9

SHA512
12a1d953df00b6464ecc132a6e5b9ec3b301c7b3cefe12cbcad27a496d2d218f89e2087dd01d293d37f29391937fcbad937f7d5cf2a6f303539883e2afe3dacd

Download Submit
C:\Windows\NvOptimizerLog\chrome_200_percent.pak
Filesize
183KB

MD5
1985b8fc603db4d83df72cfaeeac7c50

SHA1
5b02363de1c193827062bfa628261b1ec16bd8cf

SHA256
7f9ded50d81c50f9c6ed89591fa621fabbd45cef150c8aabcceb3b7a9de5603b

SHA512
27e90dd18cbce0e27c70b395895ef60a8d2f2f3c3f2ca38f48b7ecf6b0d5e6fefbe88df7e7c98224222b34ff0fbd60268fdec17440f1055535a79002044c955b

Download Submit
C:\Windows\NvOptimizerLog\d3dcompiler_47.dll
Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Windows\NvOptimizerLog\ffmpeg.dll
Filesize
2.7MB

MD5
5c2e6bcfcffc022cfb7e975ad4ce2ea4

SHA1
8f65334f554b02e206faecd2049d31ef678b321d

SHA256
d068695dc8f873caab1db51c179e9696dda2319fa05c0f2d281f9979e2054fc2

SHA512
b5fe0039e1702375a6e1f4ef7bfb24d0acc42c87d02202a488fccf3d161598549055d2ac0103c95dbbc0e46975aed30259edbfef7ce77d00f1de7c1670c00959

Download Submit
C:\Windows\NvOptimizerLog\icudtl.dat
Filesize
9.9MB

MD5
70499b58dc18e7ee1d7452a1d7a8bc6e

SHA1
41c5382f08c6a88670ce73a20c0dcdb3822f19e9

SHA256
02db39ba465fc8b7a4cd280732760f29911edde87b331bf7cea7677e94d483e0

SHA512
a80939e9809bb7d20f00ad685c94d5c182fa729616c975e605abf09afb58376be73a49fefa35b75ed1a284eccf208af7656c8df44c5959df7eaf51367d232dc6

Download Submit
C:\Windows\NvOptimizerLog\libEGL.dll
Filesize
436KB

MD5
2fe9e551c93156baf537483671ec4ad7

SHA1
08ce2344b2e0a78c2af637f0eae46b948661d5a5

SHA256
f231525ba1ea2522552a722620bced187357d66d945f0cec067c5d858950ea61

SHA512
f93181f1f2268cc380dafef02a93899cb9a19f3287a918bf6ba8eaa69190627d2e2fb0c82b693471e3ca63fbcb07c44212268c1357a5a4cf594a3bd8973eefd2

Download Submit
C:\Windows\NvOptimizerLog\libGLESv2.dll
Filesize
7.5MB

MD5
5967a9234ec54d734b31cfd12cb67faf

SHA1
536840ddb29ead51d43a506fd493b48c436097d6

SHA256
48ec76bac1ff6647096a9532ac21b4a0d7c6c9c24613971aaa201cce452ce4ce

SHA512
cf8e4c3a838b58a568639ab2778800d776e0171dc34e3b82f537adbadceaa3c292240ec7d8561b5a85df3caef6e001a07ac19e280a5bb8b0607f8ba767461479

Download Submit
C:\Windows\NvOptimizerLog\locales\en-US.pak
Filesize
85KB

MD5
6bbeeb72daebc3b0cbd9c39e820c87a9

SHA1
bd9ebec2d3fc03a2b27f128cf2660b33a3344f43

SHA256
ac1cdb4fb4d9fb27a908ed0e24cc9cc2bd885bc3ffba7e08b0b907fd4d1a8c4b

SHA512
66944fb1abcc2a7e08e5fd8a2cee53eb9da57653d7880aea226f25879e26379f7d745ebf62a3518378fa503f3a31b3ea3716f49fe4c7db4f4af0228b81b53a10

Download Submit
C:\Windows\NvOptimizerLog\resources.pak
Filesize
4.9MB

MD5
5507bc28022b806ea7a3c3bc65a1c256

SHA1
9f8d3a56fef7374c46cd3557f73855d585692b54

SHA256
367467609a389b67600628760c26732fc1a25f563f73263bc2c4bf6eec9033df

SHA512
ae698d4feacc3e908981ee44df3a9d76e42a39bf083eaf099442ace2b863f882b43232e26e2c18051ca7aec81dccef5742acc7b82fb0cda2e14086b14d5a9a26

Download Submit
C:\Windows\NvOptimizerLog\resources\app.asar
Filesize
4.6MB

MD5
040a8280b01b5a029e50c5d141d555ad

SHA1
ce103568d6ae6456f1d1d718929b6972c0bad1b4

SHA256
6b6309fe0c4ca9c73626f1435ed3332656d9e6b1e500fb85af0ebf9842813485

SHA512
6706c453509bf718d1870c98a49842743cf2e49d22225a3d33051808a3f1045c7d0c065ecafae75f1bb57b4ef4436aa76774ff6553fddf3739bc47d2e9400ce8

Download Submit
C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\libgksu2.so.0
Filesize
68KB

MD5
6dbc4226a62a578b815c4d4be3eda0d7

SHA1
eb23f90635a8366c5c992043ccf2dfb817cf6512

SHA256
0eb70bd4b911c9af7c1c78018742cadb0c5f9b6d394005eaeaa733da4b5766e5

SHA512
3a2836f712ad7048dbeb5b6eec8e163652f97bea521eafcff5c598cbedf062baefaa7079d3a614470ef99ec954dac518224cb3515ca14757721f96412443c7c4

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\ArchitectureAgnosticRegistry.vbs
Filesize
2KB

MD5
310a042dca2144c9cda556e9bc4b0c02

SHA1
d2032af7eea0dbd027a36e577567e85486496949

SHA256
caa82e59ca92629057791cb1e0ba0b74c90f561fac81b029033fc081a83431b0

SHA512
843d9f6f300caba8df41511473c43f4d5029fa0012e593677c83f196c8d595194d1409069fb4b8616e0118f37ba943bbe656b29de40f0ad70997ab610fd98db8

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\regList.wsf
Filesize
985B

MD5
cae7db4194de43346121a463596e4f4f

SHA1
f72843fa7e2a8d75616787b49f77b4380367ff26

SHA256
b65c5af7dbeb43c62f6a5528af6db3cb1ca2a71735a8e7a1451796f834e355c2

SHA512
ccee660cc4878301c743d3ebde4557dc180d8b6f77c97de5e36c95f6e4d2446ef7be28ebc787fdea2f2d817890ac7bdb713196c755a51677dc127cce77670026

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\regUtil.vbs
Filesize
7KB

MD5
77e85aa761f75466e78ce420fdf67a31

SHA1
4470bd4d215d7682828cbc5f7f64993c078b2caa

SHA256
350dea3d6c8e65372f8d12a5fd92a3a46a7519610c69564e8185a2ed66b00d59

SHA512
50af664777545ced78c34a6ea35dae542fdb85b8b307a4a4a95db25a808a695d3fe8840edb36325279c2381fbae071f6b509f7491185cef2f42afcb7672cfd13

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\util.vbs
Filesize
4KB

MD5
e2be267c02d51df566fa726fc8aa075a

SHA1
c9b9ae17f36e23d5d3cbbf2d6f17a954bfa87d24

SHA256
b2efd5e0c2f695063a8bce40c8182aa70f33c4b1b77d232b7530d89fb9646f0c

SHA512
b6f80622a9f61f636f7786d91a1b9e06a64602f0898425e90a1a696d0a4855c8c08cbd6e6b98b9a3a1a24de354b26260247953b5273f7d57ea87294b4b142e8a

Download Submit
C:\Windows\NvOptimizerLog\resources\vlc\installer.exe
Filesize
42.4MB

MD5
14becb7840eb1d3d46071d2ee65c7be8

SHA1
ff6e6f9359127f836a03dfc2b8bc9ba651c627c4

SHA256
9737843c119905be767de5e94e398be1eb145b0cc6a5a02f057d4022b80da4d8

SHA512
717289d3b514f4daa6b1cf97705c876bbe89fa215084ba8e1abeef3770e0a620d04127ef8de1f2d89477e1fab355526ed584ed3f9c7ecaf0c7d24a9bceee8248

Download Submit
C:\Windows\NvOptimizerLog\v8_context_snapshot.bin
Filesize
160KB

MD5
b64c1fc7d75234994012c86dc5af10a6

SHA1
d0d562b5735d28381d59d0d86078ff6b493a678e

SHA256
31c3aa5645b5487bf484fd910379003786523f3063e946ef9b50d257d0ee5790

SHA512
6218fcb74ef715030a2dd718c87b32f41e976dd4ce459c54a45341ee0f5ca5c927ad507d3afcffe7298b989e969885ed7fb72030ea59387609e8bd5c4b8eb60a

Download Submit
\??\pipe\LOCAL\crashpad_3392_OGSLPGYRDDEWUHGR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1460-513-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1460-514-0x0000000074DB0000-0x0000000074DBE000-memory.dmp

Filesize
56KB

Download
memory/1460-515-0x0000000074DA0000-0x0000000074DAB000-memory.dmp

Filesize
44KB

Download
memory/1460-641-0x0000000074750000-0x000000007475C000-memory.dmp

Filesize
48KB

Download
memory/1460-638-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1460-704-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2844-444-0x00000284CA930000-0x00000284CA95A000-memory.dmp

Filesize
168KB

Download
memory/2844-445-0x00000284CA930000-0x00000284CA954000-memory.dmp

Filesize
144KB

Download
memory/2844-436-0x00000284CA3F0000-0x00000284CA412000-memory.dmp

Filesize
136KB

Download
memory/2844-442-0x00000284CA9B0000-0x00000284CAA26000-memory.dmp

Filesize
472KB

Download
memory/2844-441-0x00000284CA8E0000-0x00000284CA924000-memory.dmp

Filesize
272KB

Download
memory/4516-1043-0x0000000074750000-0x000000007475C000-memory.dmp

Filesize
48KB

Download
memory/4516-1042-0x0000000074DA0000-0x0000000074DAB000-memory.dmp

Filesize
44KB

Download
memory/4516-1040-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4664-495-0x000001A473E50000-0x000001A473EBB000-memory.dmp

Filesize
428KB

Download
memory/4664-349-0x00007FFF23CD0000-0x00007FFF23CD1000-memory.dmp

Filesize
4KB

Download
memory/5860-1039-0x0000019ECA0A0000-0x0000019ECA10B000-memory.dmp

Filesize
428KB

Download