21be0a068d7d1b57578bfb2ed850b3f3b1cfe4a4c47981ead95abdb8c20278fe

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
Size

704KB
MD5

d1fc9e6d71a4867ab71af5566e525ba0
SHA1

593b10280a926134839feb8e2f9d0da9ee9c0593
SHA256

21be0a068d7d1b57578bfb2ed850b3f3b1cfe4a4c47981ead95abdb8c20278fe
SHA512

c82a23e5e0e3a38e32fc08401890852a71ec90640bbfb944ed7d45812493a53d2be2c0e4373692e52c77d666b8ae72cd0d15c3dc4bc3cc52887ad4589820658d
SSDEEP

12288:iOIVD3gyucpjRKaDPNKT1zH3ptaR1sDfOQSvJqFZ6rOIIzVFA4+M:iOIyyuUjMaDu173pG1szLSvJwSOZBv

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VLC.exeVLC.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	VLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	VLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

VLC.exe

description ioc process

File created C:\Windows\System32\NvWinSearchOptimizer.ps1 VLC.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
File created	C:\Windows\System32\NvWinSearchOptimizer.ps1	VLC.exe

Drops file in Windows directory 64 IoCs

Processes:

CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe

description	ioc	process
File opened for modification	C:\Windows\NvOptimizerLog\locales\es.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\id.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\ta.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\snapshot_blob.bin	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\elevate.exe	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\locales\fil.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\ro.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\assets\linux.png	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\lib\utils.js	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\locales\fi.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\locales\ko.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\locales\zh-TW.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\Resources\Scripts\main.scpt	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\lib\sudoer.js	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\v8_context_snapshot.bin	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\v8_context_snapshot.bin	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\index.js	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regPutValue.wsf	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regPutValue.wsf	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\locales\hi.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\zh-TW.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app-update.yml	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\cs.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\PkgInfo	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\Resources\applet.rsrc	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\stdafx.h	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\index.js	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\gksudo	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\webpack\chmod.js	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regCreateKey.wsf	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\fi.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\gksudo	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\Elevate.vcxproj	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\Elevate.vcproj	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\fa.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\LICENSE	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\gksudo	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\swiftshader	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\LICENSE.electron.txt	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\.babelrc	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regUtil.vbs	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\vulkan-1.dll	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\te.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\es-419.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\icudtl.dat	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\locales\sk.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\.eslintignore	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\LICENSE	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\LICENSE	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\package.json	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\vlc\installer.exe	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources\Scripts	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\en-US.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\locales\lv.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\MacOS\applet	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\elevate.exe	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\stdafx.h	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\kn.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\ru.pak	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe

Executes dropped EXE 5 IoCs

Processes:

VLC.exeVLC.exeVLC.exeVLC.exeinstaller.exe

pid process

2396 VLC.exe
4892 VLC.exe
3684 VLC.exe
1960 VLC.exe
3668 installer.exe

pid	process
2396	VLC.exe
4892	VLC.exe
3684	VLC.exe
1960	VLC.exe
3668	installer.exe

Loads dropped DLL 19 IoCs

Processes:

CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exeVLC.exeVLC.exeVLC.exeVLC.exeinstaller.exe

pid	process
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
2396	VLC.exe
3684	VLC.exe
1960	VLC.exe
4892	VLC.exe
4892	VLC.exe
4892	VLC.exe
4892	VLC.exe
3668	installer.exe
3668	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4592 schtasks.exe

pid	process
4592	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2596 systeminfo.exe

pid	process
2596	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133568898840651059"	chrome.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exeVLC.exeVLC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exechrome.exe

pid	process
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
1960	VLC.exe
1960	VLC.exe
3684	VLC.exe
3684	VLC.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
1168	powershell.exe
1168	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
2796	powershell.exe
2796	powershell.exe
4368	msedge.exe
4368	msedge.exe
4480	msedge.exe
4480	msedge.exe
3500	chrome.exe
3500	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exechrome.exe

pid process

4480 msedge.exe
4480 msedge.exe
3500 chrome.exe
3500 chrome.exe
4480 msedge.exe
3500 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeSecurityPrivilege	4996	CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeIncreaseQuotaPrivilege	2784	powershell.exe
Token: SeSecurityPrivilege	2784	powershell.exe
Token: SeTakeOwnershipPrivilege	2784	powershell.exe
Token: SeLoadDriverPrivilege	2784	powershell.exe
Token: SeSystemProfilePrivilege	2784	powershell.exe
Token: SeSystemtimePrivilege	2784	powershell.exe
Token: SeProfSingleProcessPrivilege	2784	powershell.exe
Token: SeIncBasePriorityPrivilege	2784	powershell.exe
Token: SeCreatePagefilePrivilege	2784	powershell.exe
Token: SeBackupPrivilege	2784	powershell.exe
Token: SeRestorePrivilege	2784	powershell.exe
Token: SeShutdownPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeSystemEnvironmentPrivilege	2784	powershell.exe
Token: SeRemoteShutdownPrivilege	2784	powershell.exe
Token: SeUndockPrivilege	2784	powershell.exe
Token: SeManageVolumePrivilege	2784	powershell.exe
Token: 33	2784	powershell.exe
Token: 34	2784	powershell.exe
Token: 35	2784	powershell.exe
Token: 36	2784	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeIncreaseQuotaPrivilege	2280	powershell.exe
Token: SeSecurityPrivilege	2280	powershell.exe
Token: SeTakeOwnershipPrivilege	2280	powershell.exe
Token: SeLoadDriverPrivilege	2280	powershell.exe
Token: SeSystemProfilePrivilege	2280	powershell.exe
Token: SeSystemtimePrivilege	2280	powershell.exe
Token: SeProfSingleProcessPrivilege	2280	powershell.exe
Token: SeIncBasePriorityPrivilege	2280	powershell.exe
Token: SeCreatePagefilePrivilege	2280	powershell.exe
Token: SeBackupPrivilege	2280	powershell.exe
Token: SeRestorePrivilege	2280	powershell.exe
Token: SeShutdownPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeSystemEnvironmentPrivilege	2280	powershell.exe
Token: SeRemoteShutdownPrivilege	2280	powershell.exe
Token: SeUndockPrivilege	2280	powershell.exe
Token: SeManageVolumePrivilege	2280	powershell.exe
Token: 33	2280	powershell.exe
Token: 34	2280	powershell.exe
Token: 35	2280	powershell.exe
Token: 36	2280	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeIncreaseQuotaPrivilege	1168	powershell.exe
Token: SeSecurityPrivilege	1168	powershell.exe
Token: SeTakeOwnershipPrivilege	1168	powershell.exe
Token: SeLoadDriverPrivilege	1168	powershell.exe
Token: SeSystemProfilePrivilege	1168	powershell.exe
Token: SeSystemtimePrivilege	1168	powershell.exe
Token: SeProfSingleProcessPrivilege	1168	powershell.exe
Token: SeIncBasePriorityPrivilege	1168	powershell.exe
Token: SeCreatePagefilePrivilege	1168	powershell.exe
Token: SeBackupPrivilege	1168	powershell.exe
Token: SeRestorePrivilege	1168	powershell.exe
Token: SeShutdownPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeSystemEnvironmentPrivilege	1168	powershell.exe
Token: SeRemoteShutdownPrivilege	1168	powershell.exe
Token: SeUndockPrivilege	1168	powershell.exe
Token: SeManageVolumePrivilege	1168	powershell.exe
Token: 33	1168	powershell.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exechrome.exe

pid	process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exechrome.exe

pid	process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

VLC.exeVLC.exeVLC.exeVLC.exeinstaller.exe

pid process

2396 VLC.exe
3684 VLC.exe
1960 VLC.exe
4892 VLC.exe
3668 installer.exe

pid	process
2396	VLC.exe
3684	VLC.exe
1960	VLC.exe
4892	VLC.exe
3668	installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VLC.exeVLC.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 4892	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 1960	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 1960	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 3684	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 3684	2396	VLC.exe	VLC.exe
PID 2396 wrote to memory of 3668	2396	VLC.exe	installer.exe
PID 2396 wrote to memory of 3668	2396	VLC.exe	installer.exe
PID 2396 wrote to memory of 3668	2396	VLC.exe	installer.exe
PID 3684 wrote to memory of 1776	3684	VLC.exe	cmd.exe
PID 3684 wrote to memory of 1776	3684	VLC.exe	cmd.exe
PID 1776 wrote to memory of 3104	1776	cmd.exe	chcp.com
PID 1776 wrote to memory of 3104	1776	cmd.exe	chcp.com
PID 3684 wrote to memory of 2784	3684	VLC.exe	powershell.exe
PID 3684 wrote to memory of 2784	3684	VLC.exe	powershell.exe
PID 3684 wrote to memory of 2280	3684	VLC.exe	powershell.exe
PID 3684 wrote to memory of 2280	3684	VLC.exe	powershell.exe
PID 3684 wrote to memory of 1168	3684	VLC.exe	powershell.exe
PID 3684 wrote to memory of 1168	3684	VLC.exe	powershell.exe
PID 3684 wrote to memory of 4380	3684	VLC.exe	cmd.exe
PID 3684 wrote to memory of 4380	3684	VLC.exe	cmd.exe
PID 4380 wrote to memory of 4592	4380	cmd.exe	schtasks.exe
PID 4380 wrote to memory of 4592	4380	cmd.exe	schtasks.exe
PID 3684 wrote to memory of 2276	3684	VLC.exe	cmd.exe
PID 3684 wrote to memory of 2276	3684	VLC.exe	cmd.exe
PID 2276 wrote to memory of 2904	2276	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
"C:\Users\Admin\AppData\Local\Temp\CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=gpu-process --field-trial-handle=1600,8708008675724705944,5025598710858901910,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4892

C:\Windows\NvOptimizerLog\resources\vlc\installer.exe
resources/vlc/installer.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3668

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,8708008675724705944,5025598710858901910,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1948 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe" --type=renderer --field-trial-handle=1600,8708008675724705944,5025598710858901910,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Windows\NvOptimizerLog\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
2⤵
- Checks computer location settings
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
3⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\chcp.com
chcp
4⤵
PID:3104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 15:14"
3⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\system32\schtasks.exe
SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 15:14
4⤵
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
3⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ExecutionPolicy"
3⤵
PID:2296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ExecutionPolicy
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "systeminfo"
3⤵
PID:4284

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2596

C:\Windows\system32\cscript.exe
cscript.exe
3⤵
PID:4528

C:\Windows\system32\cscript.exe
cscript.exe //Nologo resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\NvOptimizer
3⤵
PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start chrome "https://mediatrackerr.com/track-install?s=vlc&u=cd92250c-59a0-46d5-a2bf-4882fdd06db2&f=CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe""
3⤵
- Checks computer location settings
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://mediatrackerr.com/track-install?s=vlc&u=cd92250c-59a0-46d5-a2bf-4882fdd06db2&f=CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe"
4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffcd349758,0x7fffcd349768,0x7fffcd349778
5⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1820,i,12137581636967339575,8178787057888437477,131072 /prefetch:2
5⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1820,i,12137581636967339575,8178787057888437477,131072 /prefetch:8
5⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1820,i,12137581636967339575,8178787057888437477,131072 /prefetch:8
5⤵
PID:3612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1820,i,12137581636967339575,8178787057888437477,131072 /prefetch:1
5⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1820,i,12137581636967339575,8178787057888437477,131072 /prefetch:1
5⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4664 --field-trial-handle=1820,i,12137581636967339575,8178787057888437477,131072 /prefetch:1
5⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1820,i,12137581636967339575,8178787057888437477,131072 /prefetch:8
5⤵
PID:6004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 --field-trial-handle=1820,i,12137581636967339575,8178787057888437477,131072 /prefetch:8
5⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1820,i,12137581636967339575,8178787057888437477,131072 /prefetch:8
5⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mediatrackerr.com/track-install?s=vlc&u=cd92250c-59a0-46d5-a2bf-4882fdd06db2&f=CS2_Free_Luno_Cheat___Legit_Hack_with_Aimbot,_W-Setup-v-ao47etv.exe
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffcda046f8,0x7fffcda04708,0x7fffcda04718
4⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,5784345847082245387,1377921656434203548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
4⤵
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,5784345847082245387,1377921656434203548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,5784345847082245387,1377921656434203548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
4⤵
PID:516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5784345847082245387,1377921656434203548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
4⤵
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5784345847082245387,1377921656434203548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
4⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5784345847082245387,1377921656434203548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
4⤵
PID:5340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3892

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
38fe440dcb41bf01baa39153169a3d74

SHA1
74a11892ffb1e9baf34fca27ce617993a3221080

SHA256
80c40063d4b3729809906924dd55487a4f20c5bc8aeefa8cfc313dc532f7e423

SHA512
eaf66971a2b57aa93c9fb3c2d25759174dfb0a90d61f2589aeee59d3c540b5cbd9fb669891616e57b41d66b41b6586c3724d3b02f91a86bb7bd905bf2faac31c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
e9a23fdc97e810a8dd9c14b10fbeda4b

SHA1
108c2242154d183e9574e7ff26b80cbf1ef8b695

SHA256
13a0a65dc6d6d82ae46a5677dd26eeeb1e43d05367b3ac2441570c84b712501f

SHA512
fd51b6467a24a501f9a5265b5d91f78f926a3a13448d2e108c4d7c2732371fa2d711e8f24f23c5cee0661a9e6a9ea0d89689f0b5b0df84d0f3424a4f5b80dfcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
24ab4e1b1909e63e364c5dde30a39696

SHA1
37b6360ee0115af3fe4688cf7901b952f415e0fb

SHA256
678b748fca0398f40a886ddeabd9524ede12ad8c265853d48cf2cd2ac23f1c12

SHA512
cf2b695afe7b0004be26c05a38e12d796c3aa7d31b3e7fb8f1883bdd97f02fdcd0de00a959d2d0e2b765eaab795619dc01c34a96f453accb7f07db0dffaafa30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
d684b043f3c5b06bf7abbacac73060f8

SHA1
0196aa0511e74ae2af47a4d17c4676e79e9b58d0

SHA256
cc078341aa7364bb5d403482412fd8b8f55a691b38c0fc0ab57603aac048db49

SHA512
a16474019fe08e7ee24798e1b1fdef291405bd2e9a385fdc9077c5f434963e85c2fff78b1ba0adea083797aeb043b9052f88181bcab0e2a29b489240e1e9d25c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
34b8451fec5a3e3144d7907febb8adbd

SHA1
7da0e305e6a7beb15a2aa6297d68be814dc8ea15

SHA256
4bf6f0e7eb087d1fb548cbb3b98c5d14383628c4a62c840cee15d6abc88045c6

SHA512
5ddaf081fef48a7bd4dde7dcb97181d72e98cd3b7c85090893eb534f0ad0fb9112e91192b9ed8d5b4890be513d8499a53e32ec91f8bb6dd3b01854fa47e3b917

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a720e1227f0f54d645f5acaea8791e3b

SHA1
40aa57bfca530e025cf5447edfbf38d0983b38bd

SHA256
c22f541cc4fcb3f62b469fdda5a9cdb8a4c45ad7cd3cd61e5a147acc64e9862a

SHA512
16abaa0ef533f8be2e465c2e567cdb75158a006f9187a3d6ea5010dfd977aa9f349054c4f79119a01e1181da07babb3938ceb57a838982c3f195d765db9b9458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
81cb668ca6fc21c9470b1b30d9842d58

SHA1
7626f618260953167d91043a33f7297835efcde1

SHA256
fcd4459d94881ab3c7536848e7a09b104a26710c7729686b98304b74d3316e6f

SHA512
727c07a2cf4de6389115b0e0d8b930cc96bcc1232da5f840b4b7d6ef56b0fe23d8ddc78d51e778432eec5625d5e72043700bf68e64563d71bad4d18049f7ef83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
32087e4dccc61cd3a4bc46ae46dcfc7a

SHA1
a56e6f1f51a4422ee31ec30697cd8625ec5d5bf5

SHA256
b39b042fd03e1954f9acc2d8f300234f546d883fc7b516ee7b9c102210fac6f4

SHA512
3a2862738c0e640d43c3ea219d251147741243e0cac5be84fc5b506642d21798bbc15d7493f24ab66105cd511e3abea7c2d14fa9c1dc281f5c3dd622dea456e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
c6356738722528a90497812718fa9fe7

SHA1
67269d934f115a082ac00d66189f117493d2b84c

SHA256
21b7d677f34b2145af557df5a00725f73a31c088ea46dc1c8ee881133b821926

SHA512
0b395d4d765e75a87210754164692190c86ca065e5ab8b384a9bc96e6934899f7ac7d1cd89d8bbd5e4b3df431f82cce3ae96a3e5fc77ab0a25cf02c92278102b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
bce06e0a87712826dd3dac5c7c02cc94

SHA1
a299e8cf701b5abb89084295f6ed7ae09fd60bed

SHA256
927c2c19c0d3843f79a53fc0cb23f6e5fca983e423338e903e5831c0df0051b7

SHA512
ec6fc8ea71fffe87390bc19dd2eb818b719caa7958b435d0c490369659b92cdf62decd71a4245e6a633b68fecf226bf7a8960b49b8fb071b6fd6c706badbac14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
301eccec463a0b931113da2c64902f13

SHA1
343b5f21115327c2ba6e27185d25774df9554388

SHA256
33111ec8667b733844b1af2b3419ae45a9b7c2cbd9e5ebb98006a9eeded76426

SHA512
5525cf80f093e123c834e165ec7873b7a8988b35bfa3c4237d0946cc319cff302e0b6c241844aed8203adb9e82da9de06e382a41c03687d71e93a068bd4f397c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
cc0397a4e277c165803d3040dc60bb05

SHA1
eea289aebf87820a7916b65ba99be113ebb98ac2

SHA256
4b26514df1bbd7018354720c33abb2fed3ab23bc016fd904c78af4078a3b3dbe

SHA512
49af0767db23a5ed04ac375c3f94654e6d1e8774c0fc35163c769d36858d481ac1927eb994f861c375e242dfda5df6e440bdc10b6e3bfeec5742d072e6b3821a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
74b9faf441fc9e5ae0e7c48020ec0b7e

SHA1
5a51bb002f29be835fa72b7f812025020efbc439

SHA256
a0aabdd6ab61ce3e1ba57b804cc35d46355ea03a51560b3b47c997320b213b33

SHA512
5e94f75385b36373d25d085dc6cd5b6f809db19ab5f7b7076cf3978e0104595f98d1a839975b765ed160fb0164a5c0aefbb3a8ee687a7a16a95b1894901fdb88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eitbd05m.5zs.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl46F9.tmp\LangDLL.dll
Filesize
7KB

MD5
20850d4d5416fbfd6a02e8a120f360fc

SHA1
ac34f3a34aaa4a21efd6a32bc93102639170e219

SHA256
860b409b065b747aab2a9937f02d08b6fd7309993b50d8e4b53983c8c2b56b61

SHA512
c8048b9ae0ced72a384c5ab781083a76b96ae08d5c8a5c7797f75a7e54e9cd9192349f185ee88c9cf0514fc8d59e37e01d88b9c8106321c0581659ebe1d1c276

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl46F9.tmp\System.dll
Filesize
26KB

MD5
4f25d99bf1375fe5e61b037b2616695d

SHA1
958fad0e54df0736ddab28ff6cb93e6ed580c862

SHA256
803931797d95777248dee4f2a563aed51fe931d2dd28faec507c69ed0f26f647

SHA512
96a8446f322cd62377a93d2088c0ce06087da27ef95a391e02c505fb4eb1d00419143d67d89494c2ef6f57ae2fd7f049c86e00858d1b193ec6dde4d0fe0e3130

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4612.tmp\INetC.dll
Filesize
238KB

MD5
38caa11a462b16538e0a3daeb2fc0eaf

SHA1
c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

SHA256
ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

SHA512
777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4612.tmp\SpiderBanner.dll
Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4612.tmp\StdUtils.dll
Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4612.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4612.tmp\WinShell.dll
Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4612.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4612.tmp\nsis7z.dll
Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4612.tmp\package.7z
Filesize
99.0MB

MD5
fdfe1ece23e984d00402431d082d768e

SHA1
9405760465c3f8abc4d08473219deea9d902e2e6

SHA256
99168cc1971f35f0cea1ac61d90e3aef6cc177a510bb90203350ac2c808c73ee

SHA512
d0979e9359d7c15910522aefb5e5e23eeaacf0335fa299e09c9c6ddc962c1a224bdf3372d0f286b181182fc893bcd93558e360fb6f6645613c9a0875a89a8b49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\NvOptimizerLog\VLC.exe
Filesize
125.1MB

MD5
031021334754b192f286d0c1610ba5a1

SHA1
0cdc202ba17c952076c37c85eece7b678ebaeef9

SHA256
c11b411ae2ce44803a4a2e1f14afc93f11c8b111fdf0205639be5141a28f3a89

SHA512
eb0a34610e7479902d6498bcd75c71b4efed77b1b07dc44c22d1c59897b18f62d4399a710d29d9665b830a50c2f0703c5ecd5cdcd2751b50b4e416581ff08bea

Download Submit
C:\Windows\NvOptimizerLog\chrome_100_percent.pak
Filesize
123KB

MD5
a59ea69d64bf4f748401dc5a46a65854

SHA1
111c4cc792991faf947a33386a5862e3205b0cff

SHA256
f1a935db8236203cbc1dcbb9672d98e0bd2fa514429a3f2f82a26e0eb23a4ff9

SHA512
12a1d953df00b6464ecc132a6e5b9ec3b301c7b3cefe12cbcad27a496d2d218f89e2087dd01d293d37f29391937fcbad937f7d5cf2a6f303539883e2afe3dacd

Download Submit
C:\Windows\NvOptimizerLog\chrome_200_percent.pak
Filesize
183KB

MD5
1985b8fc603db4d83df72cfaeeac7c50

SHA1
5b02363de1c193827062bfa628261b1ec16bd8cf

SHA256
7f9ded50d81c50f9c6ed89591fa621fabbd45cef150c8aabcceb3b7a9de5603b

SHA512
27e90dd18cbce0e27c70b395895ef60a8d2f2f3c3f2ca38f48b7ecf6b0d5e6fefbe88df7e7c98224222b34ff0fbd60268fdec17440f1055535a79002044c955b

Download Submit
C:\Windows\NvOptimizerLog\d3dcompiler_47.dll
Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Windows\NvOptimizerLog\ffmpeg.dll
Filesize
2.7MB

MD5
5c2e6bcfcffc022cfb7e975ad4ce2ea4

SHA1
8f65334f554b02e206faecd2049d31ef678b321d

SHA256
d068695dc8f873caab1db51c179e9696dda2319fa05c0f2d281f9979e2054fc2

SHA512
b5fe0039e1702375a6e1f4ef7bfb24d0acc42c87d02202a488fccf3d161598549055d2ac0103c95dbbc0e46975aed30259edbfef7ce77d00f1de7c1670c00959

Download Submit
C:\Windows\NvOptimizerLog\icudtl.dat
Filesize
9.9MB

MD5
70499b58dc18e7ee1d7452a1d7a8bc6e

SHA1
41c5382f08c6a88670ce73a20c0dcdb3822f19e9

SHA256
02db39ba465fc8b7a4cd280732760f29911edde87b331bf7cea7677e94d483e0

SHA512
a80939e9809bb7d20f00ad685c94d5c182fa729616c975e605abf09afb58376be73a49fefa35b75ed1a284eccf208af7656c8df44c5959df7eaf51367d232dc6

Download Submit
C:\Windows\NvOptimizerLog\libEGL.dll
Filesize
436KB

MD5
2fe9e551c93156baf537483671ec4ad7

SHA1
08ce2344b2e0a78c2af637f0eae46b948661d5a5

SHA256
f231525ba1ea2522552a722620bced187357d66d945f0cec067c5d858950ea61

SHA512
f93181f1f2268cc380dafef02a93899cb9a19f3287a918bf6ba8eaa69190627d2e2fb0c82b693471e3ca63fbcb07c44212268c1357a5a4cf594a3bd8973eefd2

Download Submit
C:\Windows\NvOptimizerLog\libGLESv2.dll
Filesize
7.5MB

MD5
5967a9234ec54d734b31cfd12cb67faf

SHA1
536840ddb29ead51d43a506fd493b48c436097d6

SHA256
48ec76bac1ff6647096a9532ac21b4a0d7c6c9c24613971aaa201cce452ce4ce

SHA512
cf8e4c3a838b58a568639ab2778800d776e0171dc34e3b82f537adbadceaa3c292240ec7d8561b5a85df3caef6e001a07ac19e280a5bb8b0607f8ba767461479

Download Submit
C:\Windows\NvOptimizerLog\locales\en-US.pak
Filesize
85KB

MD5
6bbeeb72daebc3b0cbd9c39e820c87a9

SHA1
bd9ebec2d3fc03a2b27f128cf2660b33a3344f43

SHA256
ac1cdb4fb4d9fb27a908ed0e24cc9cc2bd885bc3ffba7e08b0b907fd4d1a8c4b

SHA512
66944fb1abcc2a7e08e5fd8a2cee53eb9da57653d7880aea226f25879e26379f7d745ebf62a3518378fa503f3a31b3ea3716f49fe4c7db4f4af0228b81b53a10

Download Submit
C:\Windows\NvOptimizerLog\resources.pak
Filesize
4.9MB

MD5
5507bc28022b806ea7a3c3bc65a1c256

SHA1
9f8d3a56fef7374c46cd3557f73855d585692b54

SHA256
367467609a389b67600628760c26732fc1a25f563f73263bc2c4bf6eec9033df

SHA512
ae698d4feacc3e908981ee44df3a9d76e42a39bf083eaf099442ace2b863f882b43232e26e2c18051ca7aec81dccef5742acc7b82fb0cda2e14086b14d5a9a26

Download Submit
C:\Windows\NvOptimizerLog\resources\app.asar
Filesize
4.6MB

MD5
040a8280b01b5a029e50c5d141d555ad

SHA1
ce103568d6ae6456f1d1d718929b6972c0bad1b4

SHA256
6b6309fe0c4ca9c73626f1435ed3332656d9e6b1e500fb85af0ebf9842813485

SHA512
6706c453509bf718d1870c98a49842743cf2e49d22225a3d33051808a3f1045c7d0c065ecafae75f1bb57b4ef4436aa76774ff6553fddf3739bc47d2e9400ce8

Download Submit
C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\libgksu2.so.0
Filesize
68KB

MD5
6dbc4226a62a578b815c4d4be3eda0d7

SHA1
eb23f90635a8366c5c992043ccf2dfb817cf6512

SHA256
0eb70bd4b911c9af7c1c78018742cadb0c5f9b6d394005eaeaa733da4b5766e5

SHA512
3a2836f712ad7048dbeb5b6eec8e163652f97bea521eafcff5c598cbedf062baefaa7079d3a614470ef99ec954dac518224cb3515ca14757721f96412443c7c4

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\ArchitectureAgnosticRegistry.vbs
Filesize
2KB

MD5
310a042dca2144c9cda556e9bc4b0c02

SHA1
d2032af7eea0dbd027a36e577567e85486496949

SHA256
caa82e59ca92629057791cb1e0ba0b74c90f561fac81b029033fc081a83431b0

SHA512
843d9f6f300caba8df41511473c43f4d5029fa0012e593677c83f196c8d595194d1409069fb4b8616e0118f37ba943bbe656b29de40f0ad70997ab610fd98db8

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\regList.wsf
Filesize
985B

MD5
cae7db4194de43346121a463596e4f4f

SHA1
f72843fa7e2a8d75616787b49f77b4380367ff26

SHA256
b65c5af7dbeb43c62f6a5528af6db3cb1ca2a71735a8e7a1451796f834e355c2

SHA512
ccee660cc4878301c743d3ebde4557dc180d8b6f77c97de5e36c95f6e4d2446ef7be28ebc787fdea2f2d817890ac7bdb713196c755a51677dc127cce77670026

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\regUtil.vbs
Filesize
7KB

MD5
77e85aa761f75466e78ce420fdf67a31

SHA1
4470bd4d215d7682828cbc5f7f64993c078b2caa

SHA256
350dea3d6c8e65372f8d12a5fd92a3a46a7519610c69564e8185a2ed66b00d59

SHA512
50af664777545ced78c34a6ea35dae542fdb85b8b307a4a4a95db25a808a695d3fe8840edb36325279c2381fbae071f6b509f7491185cef2f42afcb7672cfd13

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\util.vbs
Filesize
4KB

MD5
e2be267c02d51df566fa726fc8aa075a

SHA1
c9b9ae17f36e23d5d3cbbf2d6f17a954bfa87d24

SHA256
b2efd5e0c2f695063a8bce40c8182aa70f33c4b1b77d232b7530d89fb9646f0c

SHA512
b6f80622a9f61f636f7786d91a1b9e06a64602f0898425e90a1a696d0a4855c8c08cbd6e6b98b9a3a1a24de354b26260247953b5273f7d57ea87294b4b142e8a

Download Submit
C:\Windows\NvOptimizerLog\resources\vlc\installer.exe
Filesize
42.4MB

MD5
14becb7840eb1d3d46071d2ee65c7be8

SHA1
ff6e6f9359127f836a03dfc2b8bc9ba651c627c4

SHA256
9737843c119905be767de5e94e398be1eb145b0cc6a5a02f057d4022b80da4d8

SHA512
717289d3b514f4daa6b1cf97705c876bbe89fa215084ba8e1abeef3770e0a620d04127ef8de1f2d89477e1fab355526ed584ed3f9c7ecaf0c7d24a9bceee8248

Download Submit
C:\Windows\NvOptimizerLog\v8_context_snapshot.bin
Filesize
160KB

MD5
b64c1fc7d75234994012c86dc5af10a6

SHA1
d0d562b5735d28381d59d0d86078ff6b493a678e

SHA256
31c3aa5645b5487bf484fd910379003786523f3063e946ef9b50d257d0ee5790

SHA512
6218fcb74ef715030a2dd718c87b32f41e976dd4ce459c54a45341ee0f5ca5c927ad507d3afcffe7298b989e969885ed7fb72030ea59387609e8bd5c4b8eb60a

Download Submit
\??\pipe\LOCAL\crashpad_4480_LVHSDJWXQLSQGPGK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1168-501-0x0000021FBAB20000-0x0000021FBAB30000-memory.dmp

Filesize
64KB

Download
memory/1168-504-0x00007FFFC8F10000-0x00007FFFC99D1000-memory.dmp

Filesize
10.8MB

Download
memory/1168-489-0x0000021FBAB20000-0x0000021FBAB30000-memory.dmp

Filesize
64KB

Download
memory/1168-487-0x00007FFFC8F10000-0x00007FFFC99D1000-memory.dmp

Filesize
10.8MB

Download
memory/1168-488-0x0000021FBAB20000-0x0000021FBAB30000-memory.dmp

Filesize
64KB

Download
memory/2280-467-0x000002A76EA20000-0x000002A76EA30000-memory.dmp

Filesize
64KB

Download
memory/2280-466-0x000002A76EA20000-0x000002A76EA30000-memory.dmp

Filesize
64KB

Download
memory/2280-465-0x00007FFFC8F10000-0x00007FFFC99D1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-485-0x00007FFFC8F10000-0x00007FFFC99D1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-482-0x000002A76EA20000-0x000002A76EA30000-memory.dmp

Filesize
64KB

Download
memory/2784-449-0x0000024331ED0000-0x0000024331EE0000-memory.dmp

Filesize
64KB

Download
memory/2784-447-0x0000024331FE0000-0x0000024332002000-memory.dmp

Filesize
136KB

Download
memory/2784-448-0x00007FFFC8F10000-0x00007FFFC99D1000-memory.dmp

Filesize
10.8MB

Download
memory/2784-450-0x0000024331ED0000-0x0000024331EE0000-memory.dmp

Filesize
64KB

Download
memory/2784-460-0x00007FFFC8F10000-0x00007FFFC99D1000-memory.dmp

Filesize
10.8MB

Download
memory/2784-451-0x00000243321C0000-0x0000024332204000-memory.dmp

Filesize
272KB

Download
memory/2784-454-0x0000024332410000-0x000002433243A000-memory.dmp

Filesize
168KB

Download
memory/2784-455-0x0000024332410000-0x0000024332434000-memory.dmp

Filesize
144KB

Download
memory/2784-452-0x0000024332490000-0x0000024332506000-memory.dmp

Filesize
472KB

Download
memory/2796-523-0x00007FFFC8F10000-0x00007FFFC99D1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-529-0x000001CB7DD30000-0x000001CB7DD40000-memory.dmp

Filesize
64KB

Download
memory/2796-537-0x00007FFFC8F10000-0x00007FFFC99D1000-memory.dmp

Filesize
10.8MB

Download
memory/2904-521-0x00007FFFC8F10000-0x00007FFFC99D1000-memory.dmp

Filesize
10.8MB

Download
memory/2904-511-0x0000020CA9A30000-0x0000020CA9A40000-memory.dmp

Filesize
64KB

Download
memory/2904-509-0x0000020CA9A30000-0x0000020CA9A40000-memory.dmp

Filesize
64KB

Download
memory/2904-508-0x00007FFFC8F10000-0x00007FFFC99D1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-446-0x00000000745E0000-0x00000000745E9000-memory.dmp

Filesize
36KB

Download
memory/3668-444-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3668-445-0x00000000745F0000-0x00000000745FE000-memory.dmp

Filesize
56KB

Download
memory/4892-376-0x00007FFFEA960000-0x00007FFFEA961000-memory.dmp

Filesize
4KB

Download