hxxps://filestorezz[.]com/download?src=xy3&app=vlc&clid=4JIocO0LqwsQ&camp=10178&e1=&e2=

Analysis

max time kernel
112s
max time network
113s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
24/04/2024, 11:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://filestorezz.com/download?src=xy3&app=vlc&clid=4JIocO0LqwsQ&camp=10178&e1=&e2=

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
956	Setup-v-bpak6xn.exe
3144	VLC.exe
4412	VLC.exe
2448	VLC.exe
560	VLC.exe
2860	installer.exe

Loads dropped DLL 21 IoCs

pid	Process
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
3144	VLC.exe
2448	VLC.exe
4412	VLC.exe
560	VLC.exe
4412	VLC.exe
4412	VLC.exe
4412	VLC.exe
2860	installer.exe
2860	installer.exe
2860	installer.exe
2860	installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\NvWinSearchOptimizer.ps1	VLC.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\NvOptimizerLog\locales\sk.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\Elevate.rc	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\swiftshader\libGLESv2.dll	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\locales\es.pak	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\et.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\v8_context_snapshot.bin	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\assets	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regCreateKey.wsf	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\LICENSE.electron.txt	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\vlc\installer.exe	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\chrome_200_percent.pak	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regDeleteKey.wsf	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\assets\osx.png	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\gksudo	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\locales\kn.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\assets\win32.png	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\LICENSE	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\elevate.exe	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\locales\he.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\locales\hu.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\locales\lt.pak	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\LICENSE	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\v8_context_snapshot.bin	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\locales\en-GB.pak	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\LICENSE	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\vulkan-1.dll	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\de.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Info.plist	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\pt-PT.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\Resources\applet.rsrc	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\regedit\vbs\util.vbs	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\swiftshader\libEGL.dll	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents\Info.plist	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\stdafx.h	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\stdafx.h	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\JsonSafeTest.wsf	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\locales\ru.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\Resources\applet.rsrc	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\vi.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regPutValue.wsf	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regUtil.vbs	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\locales\ro.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\locales\uk.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\locales\bn.pak	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\nb.pak	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\nl.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\locales\zh-TW.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\assets\osx.png	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\regedit\vbs\regListStream.wsf	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\applet.app\Contents	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\LICENSES.chromium.html	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\vendor\win32\Elevate\Elevate.vcxproj.filters	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\resources\regedit\vbs\ArchitectureAgnosticRegistry.vbs	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\elevate.exe	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\locales\et.pak	Setup-v-bpak6xn.exe
File created	C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\dist\bin\applet.app\Contents\PkgInfo	Setup-v-bpak6xn.exe
File opened for modification	C:\Windows\NvOptimizerLog\locales\kn.pak	Setup-v-bpak6xn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5484	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5916	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584321830171881"	chrome.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 897608.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Setup-v-bpak6xn.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
2716	msedge.exe
2716	msedge.exe
2724	msedge.exe
2724	msedge.exe
992	msedge.exe
992	msedge.exe
1704	identity_helper.exe
1704	identity_helper.exe
2544	msedge.exe
2544	msedge.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
956	Setup-v-bpak6xn.exe
2448	VLC.exe
2448	VLC.exe
560	VLC.exe
560	VLC.exe
5756	powershell.exe
5756	powershell.exe
5756	powershell.exe
6024	powershell.exe
6024	powershell.exe
6024	powershell.exe
3480	powershell.exe
3480	powershell.exe
3480	powershell.exe
5480	powershell.exe
5480	powershell.exe
5480	powershell.exe
5480	powershell.exe
5780	powershell.exe
5780	powershell.exe
5780	powershell.exe
2860	installer.exe
2860	installer.exe
2860	installer.exe
2860	installer.exe
2860	installer.exe
5636	chrome.exe
5636	chrome.exe
2860	installer.exe
2860	installer.exe
2860	installer.exe
2860	installer.exe
2860	installer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	956	Setup-v-bpak6xn.exe
Token: SeDebugPrivilege	5756	powershell.exe
Token: SeIncreaseQuotaPrivilege	5756	powershell.exe
Token: SeSecurityPrivilege	5756	powershell.exe
Token: SeTakeOwnershipPrivilege	5756	powershell.exe
Token: SeLoadDriverPrivilege	5756	powershell.exe
Token: SeSystemProfilePrivilege	5756	powershell.exe
Token: SeSystemtimePrivilege	5756	powershell.exe
Token: SeProfSingleProcessPrivilege	5756	powershell.exe
Token: SeIncBasePriorityPrivilege	5756	powershell.exe
Token: SeCreatePagefilePrivilege	5756	powershell.exe
Token: SeBackupPrivilege	5756	powershell.exe
Token: SeRestorePrivilege	5756	powershell.exe
Token: SeShutdownPrivilege	5756	powershell.exe
Token: SeDebugPrivilege	5756	powershell.exe
Token: SeSystemEnvironmentPrivilege	5756	powershell.exe
Token: SeRemoteShutdownPrivilege	5756	powershell.exe
Token: SeUndockPrivilege	5756	powershell.exe
Token: SeManageVolumePrivilege	5756	powershell.exe
Token: 33	5756	powershell.exe
Token: 34	5756	powershell.exe
Token: 35	5756	powershell.exe
Token: 36	5756	powershell.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeIncreaseQuotaPrivilege	6024	powershell.exe
Token: SeSecurityPrivilege	6024	powershell.exe
Token: SeTakeOwnershipPrivilege	6024	powershell.exe
Token: SeLoadDriverPrivilege	6024	powershell.exe
Token: SeSystemProfilePrivilege	6024	powershell.exe
Token: SeSystemtimePrivilege	6024	powershell.exe
Token: SeProfSingleProcessPrivilege	6024	powershell.exe
Token: SeIncBasePriorityPrivilege	6024	powershell.exe
Token: SeCreatePagefilePrivilege	6024	powershell.exe
Token: SeBackupPrivilege	6024	powershell.exe
Token: SeRestorePrivilege	6024	powershell.exe
Token: SeShutdownPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeSystemEnvironmentPrivilege	6024	powershell.exe
Token: SeRemoteShutdownPrivilege	6024	powershell.exe
Token: SeUndockPrivilege	6024	powershell.exe
Token: SeManageVolumePrivilege	6024	powershell.exe
Token: 33	6024	powershell.exe
Token: 34	6024	powershell.exe
Token: 35	6024	powershell.exe
Token: 36	6024	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeIncreaseQuotaPrivilege	3480	powershell.exe
Token: SeSecurityPrivilege	3480	powershell.exe
Token: SeTakeOwnershipPrivilege	3480	powershell.exe
Token: SeLoadDriverPrivilege	3480	powershell.exe
Token: SeSystemProfilePrivilege	3480	powershell.exe
Token: SeSystemtimePrivilege	3480	powershell.exe
Token: SeProfSingleProcessPrivilege	3480	powershell.exe
Token: SeIncBasePriorityPrivilege	3480	powershell.exe
Token: SeCreatePagefilePrivilege	3480	powershell.exe
Token: SeBackupPrivilege	3480	powershell.exe
Token: SeRestorePrivilege	3480	powershell.exe
Token: SeShutdownPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeSystemEnvironmentPrivilege	3480	powershell.exe
Token: SeRemoteShutdownPrivilege	3480	powershell.exe
Token: SeUndockPrivilege	3480	powershell.exe
Token: SeManageVolumePrivilege	3480	powershell.exe
Token: 33	3480	powershell.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
956	Setup-v-bpak6xn.exe
3144	VLC.exe
2448	VLC.exe
4412	VLC.exe
560	VLC.exe
2860	installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 4824	2724	msedge.exe	81
PID 2724 wrote to memory of 4824	2724	msedge.exe	81
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 232	2724	msedge.exe	82
PID 2724 wrote to memory of 2716	2724	msedge.exe	83
PID 2724 wrote to memory of 2716	2724	msedge.exe	83
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84
PID 2724 wrote to memory of 1868	2724	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filestorezz.com/download?src=xy3&app=vlc&clid=4JIocO0LqwsQ&camp=10178&e1=&e2=
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd08de3cb8,0x7ffd08de3cc8,0x7ffd08de3cd8
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Users\Admin\Downloads\Setup-v-bpak6xn.exe
  "C:\Users\Admin\Downloads\Setup-v-bpak6xn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2600 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8818700886205770635,6826457951799758595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1756

C:\Windows\NvOptimizerLog\VLC.exe
"C:\Windows\NvOptimizerLog\VLC.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3144
- C:\Windows\NvOptimizerLog\VLC.exe
  "C:\Windows\NvOptimizerLog\VLC.exe" --type=gpu-process --field-trial-handle=1492,3997665566087032145,10308359885933011842,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1500 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4412
- C:\Windows\NvOptimizerLog\VLC.exe
  "C:\Windows\NvOptimizerLog\VLC.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1492,3997665566087032145,10308359885933011842,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1892 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Windows\NvOptimizerLog\VLC.exe
  "C:\Windows\NvOptimizerLog\VLC.exe" --type=renderer --field-trial-handle=1492,3997665566087032145,10308359885933011842,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Windows\NvOptimizerLog\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:5600
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:5640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 11:39"
    3⤵
    PID:5452
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Create /TN "NvOptimizerTaskUpdater_V2" /SC HOURLY /TR "powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1" /RL HIGHEST /MO 4 /RU System /ST 11:39
      4⤵
      Creates scheduled task(s)
      PID:5484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
    3⤵
    PID:2912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ExecutionPolicy"
    3⤵
    PID:2216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ExecutionPolicy
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "systeminfo"
    3⤵
    PID:5808
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5916
- - C:\Windows\system32\cscript.exe
    cscript.exe
    3⤵
    PID:5248
- - C:\Windows\system32\cscript.exe
    cscript.exe //Nologo resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\NvOptimizer
    3⤵
    PID:5320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "start chrome "https://mediatrackerr.com/track-install?s=vlc&u=72f7120b-2820-4f6c-8629-0d154a9e0b2a&f=Setup-v-bpak6xn.exe""
    3⤵
    PID:5492
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://mediatrackerr.com/track-install?s=vlc&u=72f7120b-2820-4f6c-8629-0d154a9e0b2a&f=Setup-v-bpak6xn.exe"
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5636
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcf599ab58,0x7ffcf599ab68,0x7ffcf599ab78
        5⤵
        
        PID:5576
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=2368,i,2794145698017074395,6148702109987628436,131072 /prefetch:2
        5⤵
        
        PID:5692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1752 --field-trial-handle=2368,i,2794145698017074395,6148702109987628436,131072 /prefetch:8
        5⤵
        
        PID:5716
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1908 --field-trial-handle=2368,i,2794145698017074395,6148702109987628436,131072 /prefetch:8
        5⤵
        
        PID:5720
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=2368,i,2794145698017074395,6148702109987628436,131072 /prefetch:1
        5⤵
        
        PID:5252
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=2368,i,2794145698017074395,6148702109987628436,131072 /prefetch:1
        5⤵
        
        PID:5412
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4000 --field-trial-handle=2368,i,2794145698017074395,6148702109987628436,131072 /prefetch:1
        5⤵
        
        PID:4652
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=2368,i,2794145698017074395,6148702109987628436,131072 /prefetch:8
        5⤵
        
        PID:2444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3032 --field-trial-handle=2368,i,2794145698017074395,6148702109987628436,131072 /prefetch:8
        5⤵
        
        PID:5240
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3296 --field-trial-handle=2368,i,2794145698017074395,6148702109987628436,131072 /prefetch:8
        5⤵
        
        PID:5764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mediatrackerr.com/track-install?s=vlc&u=72f7120b-2820-4f6c-8629-0d154a9e0b2a&f=Setup-v-bpak6xn.exe
    3⤵
    PID:5612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd08de3cb8,0x7ffd08de3cc8,0x7ffd08de3cd8
      4⤵
      PID:1824
- C:\Windows\NvOptimizerLog\resources\vlc\installer.exe
  resources/vlc/installer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5248

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
1e6ba6eff7d56ff576dc170481f6349c

SHA1
481d853a80a6f374623e969e857896e8bc3a7caa

SHA256
022cc6ce9c9d7ec858818f0a01174e8a7209e454f63041e0ccbd46cfb63b530d

SHA512
7bf9e1f625efe08a4af0b3a83958004a803438d6ba2782e740c9f547927f6cc85d653767a12b7982e8000fd38c3d62dccac829f3220a65b2ec80e983e077ce9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
696f07ace0c49a48e9243e56363ac0a5

SHA1
571dfdcef491adc123e393ded9538d2a759f9c04

SHA256
ad8ba0acf7185e43fb3c051928e12b914cf209bba65028211b32a6968ee5dc47

SHA512
8c28114bd67756c86e329cee1358c12bd16db01122d29ba5d098cdddcee290383f58dbf03d80c6105835dcc696434c82002fcb1abc2073119d84a7db4e08b038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
82f859f90ba7009ee5fa25ea9639f591

SHA1
aaed9b4034555fbc9ef157c172cd4b3eed3833c4

SHA256
a6fc50471ca5df903b02a09bc18a21f167ac9f66a274e071424cc9e9aa0debfa

SHA512
2f56b6b738c4baf29fb5ef5c3f226c229e12abe76ca010b74cf5446bf98b1f34841e92bba40713ff134ae328163b7c96a3e82fca20bf5afe41bced6264c53851

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3bcd851ced312892b63eee89e5904999

SHA1
cfd6e94fef910463ec7148f0be94c30a0396994b

SHA256
6defb891f6d08436c697b17cb430fa2bf6e1be1a876e5086b1645d3c7e5a4d1d

SHA512
62ff8ad5d1a0bf9f149c5e3746e0966cb8ed04f1f8d0e5142db24837eb2381419dfaca5ec35f7469bfcffd8065f5daaab508d49e52486a0b2301e65858c2a93f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
e0906bb26295a624727fe30f1e7af775

SHA1
4305fa26ada2177315bf7ebb12359e304847122b

SHA256
d2bf4cb14f92d21ce03306ff050eed8d11d85b4a70a390923382e8af3e92c94c

SHA512
0d8c70a8a64266099224a9df356d029bb1460368d4b85cab8111c67c8f01ba367dc8096a10f0a2093cda60f4105bdb1810cd205085b227c8f4b1cee89aafb1eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
b5dc66f2cf9c1840275acb7ee50037ad

SHA1
293eaf98e10389a2fb04d85a610063803413b132

SHA256
3e2a83cb9eff6279076bfd04a4654432ec096cab2c051b51531951dd1cd63701

SHA512
494c7ff8f11f6131e413b1527f902f388aef52e6e95a630e5de78d074f496a2db3e0a4ae2644837ef2a7cb073d7df5e6ae298082d19600f3ebc0813ad41a2292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
05850c6c0442ea6966fe2a888f219f4b

SHA1
e6b1c8eb783b307672a6f06b785a7e9b78633b46

SHA256
f51b54c5f5074076216b2d0a3e66c13e80d8f1da311614ec15c9170dff11ad5a

SHA512
9db20e00e103700f67256568e38f9b37f29af3c30f3454a38b3e033c6c2f6bd796c5b5a8c5faa98bb45d7521d76c2bf323d503b8a0196cacbd701167d441c6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1a9c7fa806c60a3c2ed8a7829b1461f

SHA1
376cafc1b1b6b2a70cd56455124554c21b25c683

SHA256
1eb39b1409ce78188c133089bf3660393ac043b5baade7ff322df5a0ca95380b

SHA512
e1cb2f84b5cbd86b107c0a9ec0356ab65a54c91208f9f8e83fec64bf17ae89356a09b0cd39d2726424f4041d7b25b962c23672b8645c2e10f11ff4d2075f4afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f3f6e86c8b7bdc605f5559df800bfd34

SHA1
862d05bfba760ae8adcbb509216dc18ead59a6b2

SHA256
5dfe9be21d4916615025055f1a70151362bdb404b40f074685e39b33ad545a78

SHA512
de576ebf0cbe1c5e7639c42517253796cf4b5770298271ac2e6958404998f2d6b8e3378a535f2f316f4020fd8e60b5cc9c1b6b5171d307ca3215afe8ac47a7c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
a5993402e967e47c03a866803a08a6d0

SHA1
18b584603df37ef2d0d9f646aebcf1aff97db892

SHA256
7c8a47e66c81d2b342329d0d7a2052531f8af56ab84edd539beb411db93155a1

SHA512
619daee9a4e020145eeda7f874cc3dffaf18b9df72522999a3182388f9fda21a0d7c0a936c2359e80ab0751586008dc9c72b92b2985be21d27601aeaa867eeaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
183B

MD5
2417b2396275a97ee6d56157918c10d9

SHA1
09e4dfc23a69e618e33c5b9542ff9650a0adee71

SHA256
263a732885f8f6a60905681cdddf84cb67faf91ea16e54a83db9d9b691068839

SHA512
bbb59026e48a59a325514efaecd673e8ecebf3ad74d59c7c5ec93022e0f8b6fb90d7ced06fa51c8f903b24f7c99391627f123aba89f50697cf488d8df34bc798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
916f84957ae9594fd47b3b62342b4bec

SHA1
9325378187e04910c067b286fbc8d50c31c842e8

SHA256
03eb6a27c6930e74a7133245148142967ec5079c8f9c63c1b1c7497262ee7eab

SHA512
f910cb86198a23b356dd03ac0bb29f3f961ff115d554b8d6a8ab5a291e5faf6aeda22efa9670f4042cb60b13691aac6c11b5ce2c37e47a63d62b28871e6b731d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9220a88acac7ff41d7456a849b8d930c

SHA1
eca79ec6f8283ad74b6d9f2bd908937b9381aaa5

SHA256
e5daa90905dc327eeccb5084dc2fbe9ea5243d5cc942871c13b7160d0ea36313

SHA512
9ad05636fdd7c1be8b10cd671e58bb81d68f2522ace2825cf7d09a7233d5bf5a0887f8854fbae3dbb32bf2352e9bb24396390170bc9fb898fc51d488e40d6c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b8dbbd3526c33f62daf274559612c99

SHA1
6d1521e978f8a83dffc2fd2a07be8f92fdf4b064

SHA256
2f290e850cb4b403b7b9d00e7de420f476a0c8247adf4ebe8a8e6be81150f0c2

SHA512
f73187d3169a50b7b5291bb5b4beace729f2c72b0f5ec6a2c47a173ab43a33be7b127b8013912c72e5379a1631d5e5e6fc1e6ba92c05c9750ecf3d91ecbece5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
110baea7f92d0faaae7fc3c9c17da1a6

SHA1
c01a57eb9670ad8cd1c1ff2faac98442027f2a0a

SHA256
b4a58e423ec5fa66df78675d0bce8b25d71b02964b19a7ff2df7b616f4724644

SHA512
04734ac44888ac578d4ea9ddd0d5116e596debb5ae8d4aa3d1f30d55cdf36ab539576ef891a5904a40ff869dfbbc501576669b4c7e341566907c92043049a1f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b905be60b07cdd500ff8ac575a3e193f

SHA1
7ed6648f7c80b632082182f16e2a7df9f2a54ab8

SHA256
d1c7c1c9f55ab1c934984926480cc6b3505148e1aaadc62408aa39a6d6c45889

SHA512
d04fbcfdb925708a7c2a75eb1c7c69ff3e472abae0ec2d45aac7240748b9ae9beb1245175f8130a5521013a2e5a59fadca5613a3dd06ca4373468b896afc91ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e14235b46666fe4390a5af8ac1b8080

SHA1
cf02018d08958d8e3ed9dce3f84f9bafaa7bd2c7

SHA256
44a3b7b67cd71e14ccd2cd0fb490af8ef5c09cda6a55cf641da0252cfc80bcec

SHA512
53d809bae567bc7b3777b056fe67f3b667c8eed20ac34c1f57afec3deaa3d7c65fdb42048e2b6e5906d4cae667318f434bf00808ae394d2f0f5df169cb320afe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f63dfcf3ea8cfce176fcc7be95984d39

SHA1
150e86670df72d29b07be0624894409609f9cb4a

SHA256
18061fac3a437c8803594c9280e5e3b142d84e4435d56338daf18c0adfeedadf

SHA512
b4795e0951abe59cd99447e48b2db294ab892bc6121474d739cd8450e60d7bca2e0392144ebeaaace9b01974cd1706769e3b78be7a13e10e449d262b724a349c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
0254494a4c89bf8f623066957ccb7ea1

SHA1
0a31bf0f80c2e5caaf36fdf4266b72379cfb3751

SHA256
ffda9233d24b63e14924cddc16d3885111c7cf09abe840547c0a266c2000687f

SHA512
8f8c04122ae09f4a544d482eb72c30fc6d1ae9840e4247eb9e7a5cbe6e912fbff9132afc78974509923c24c30a8049199d43d83aba49b8a66ab78316546673bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
f529059636e4c455144f3297e6dc45bc

SHA1
53b3563a8685735fe9b26b88ae8a6d1e0e22987a

SHA256
cc75847d0153a924c2f4cec64901acb5f12d1f030ce509bed0a1aff5a3fbe997

SHA512
f4da1414f8976830a993e9e32e41cec6454d95ab08611828dc6ffc93c31e4681d60fa7f700f3433bd528b8aac7c6f9391134f4a3013ffac4847111e611bfa18c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
28356ef329fe8c08135e07064b3a84d4

SHA1
1ada054d32490581ab4e3d6997e473fdfec43bfd

SHA256
d1da2bb0cd6e31125865c333d80805871323a39e482a036dc498db7c298b8108

SHA512
d3e9ef63604361c3dc22bb040c3fc0b61f872007b545643012244d40f81403f6deb326d20eae0cc86bebc53930c74091790bcd4f3a1244ab5cd1c284bda07abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0op0knk.c4i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbAEB0.tmp\INetC.dll

Filesize
238KB

MD5
38caa11a462b16538e0a3daeb2fc0eaf

SHA1
c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

SHA256
ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

SHA512
777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbAEB0.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbAEB0.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbAEB0.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbAEB0.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbAEB0.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbAEB0.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbAEB0.tmp\package.7z

Filesize
99.0MB

MD5
fdfe1ece23e984d00402431d082d768e

SHA1
9405760465c3f8abc4d08473219deea9d902e2e6

SHA256
99168cc1971f35f0cea1ac61d90e3aef6cc177a510bb90203350ac2c808c73ee

SHA512
d0979e9359d7c15910522aefb5e5e23eeaacf0335fa299e09c9c6ddc962c1a224bdf3372d0f286b181182fc893bcd93558e360fb6f6645613c9a0875a89a8b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3B7F.tmp\LangDLL.dll

Filesize
7KB

MD5
20850d4d5416fbfd6a02e8a120f360fc

SHA1
ac34f3a34aaa4a21efd6a32bc93102639170e219

SHA256
860b409b065b747aab2a9937f02d08b6fd7309993b50d8e4b53983c8c2b56b61

SHA512
c8048b9ae0ced72a384c5ab781083a76b96ae08d5c8a5c7797f75a7e54e9cd9192349f185ee88c9cf0514fc8d59e37e01d88b9c8106321c0581659ebe1d1c276

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3B7F.tmp\System.dll

Filesize
26KB

MD5
4f25d99bf1375fe5e61b037b2616695d

SHA1
958fad0e54df0736ddab28ff6cb93e6ed580c862

SHA256
803931797d95777248dee4f2a563aed51fe931d2dd28faec507c69ed0f26f647

SHA512
96a8446f322cd62377a93d2088c0ce06087da27ef95a391e02c505fb4eb1d00419143d67d89494c2ef6f57ae2fd7f049c86e00858d1b193ec6dde4d0fe0e3130

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3B7F.tmp\nsDialogs.dll

Filesize
12KB

MD5
2029c44871670eec937d1a8c1e9faa21

SHA1
e8d53b9e8bc475cc274d80d3836b526d8dd2747a

SHA256
a4ae6d33f940a80e8fe34537c5cc1f8b8679c979607969320cfb750c15809ac2

SHA512
6f151c9818ac2f3aef6d4cabd8122c7e22ccf0b84fa5d4bcc951f8c3d00e8c270127eac1e9d93c5f4594ac90de8aff87dc6e96562f532a3d19c0da63a28654b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3B7F.tmp\nsProcess.dll

Filesize
35KB

MD5
764371d831841fe57172aa830d22149d

SHA1
680e20e9b98077dea32b083b5c746d8de35e0584

SHA256
93df9e969053ca77c982c6e52b7f2898d22777a8c50274b54303eaa0ef5ccded

SHA512
19076205eba08df978ad17f8176d3a5a17c4ea684460894b6a80cae7e48fcae5e9493ff745d88d62fd44fc17bcda838570add6c38bebe4962d575f060f1584f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\Network Persistent State~RFe58728b.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\Downloads\Setup-v-bpak6xn.exe:Zone.Identifier

Filesize
121B

MD5
39e91c9b7f5d89fbb03d6273a6c5aefe

SHA1
d842fdb435f86fcabbb0598c3b602bc01260fb00

SHA256
a692d9d9307d5651baf39f1e388f23a80f4d575b611dd3d60d885619bcf6eb26

SHA512
5810868192d3f60d00a219cd8b179ff9905ea7bbe983921cac27bcbb87bbde1d00df715f87249824b9fc0b505b35896edb8065f03613dffdddfe8177570c2238

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 897608.crdownload

Filesize
704KB

MD5
d1fc9e6d71a4867ab71af5566e525ba0

SHA1
593b10280a926134839feb8e2f9d0da9ee9c0593

SHA256
21be0a068d7d1b57578bfb2ed850b3f3b1cfe4a4c47981ead95abdb8c20278fe

SHA512
c82a23e5e0e3a38e32fc08401890852a71ec90640bbfb944ed7d45812493a53d2be2c0e4373692e52c77d666b8ae72cd0d15c3dc4bc3cc52887ad4589820658d

Download Submit
C:\Windows\NvOptimizerLog\VLC.exe

Filesize
125.1MB

MD5
031021334754b192f286d0c1610ba5a1

SHA1
0cdc202ba17c952076c37c85eece7b678ebaeef9

SHA256
c11b411ae2ce44803a4a2e1f14afc93f11c8b111fdf0205639be5141a28f3a89

SHA512
eb0a34610e7479902d6498bcd75c71b4efed77b1b07dc44c22d1c59897b18f62d4399a710d29d9665b830a50c2f0703c5ecd5cdcd2751b50b4e416581ff08bea

Download Submit
C:\Windows\NvOptimizerLog\chrome_100_percent.pak

Filesize
123KB

MD5
a59ea69d64bf4f748401dc5a46a65854

SHA1
111c4cc792991faf947a33386a5862e3205b0cff

SHA256
f1a935db8236203cbc1dcbb9672d98e0bd2fa514429a3f2f82a26e0eb23a4ff9

SHA512
12a1d953df00b6464ecc132a6e5b9ec3b301c7b3cefe12cbcad27a496d2d218f89e2087dd01d293d37f29391937fcbad937f7d5cf2a6f303539883e2afe3dacd

Download Submit
C:\Windows\NvOptimizerLog\chrome_200_percent.pak

Filesize
183KB

MD5
1985b8fc603db4d83df72cfaeeac7c50

SHA1
5b02363de1c193827062bfa628261b1ec16bd8cf

SHA256
7f9ded50d81c50f9c6ed89591fa621fabbd45cef150c8aabcceb3b7a9de5603b

SHA512
27e90dd18cbce0e27c70b395895ef60a8d2f2f3c3f2ca38f48b7ecf6b0d5e6fefbe88df7e7c98224222b34ff0fbd60268fdec17440f1055535a79002044c955b

Download Submit
C:\Windows\NvOptimizerLog\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Windows\NvOptimizerLog\ffmpeg.dll

Filesize
2.7MB

MD5
5c2e6bcfcffc022cfb7e975ad4ce2ea4

SHA1
8f65334f554b02e206faecd2049d31ef678b321d

SHA256
d068695dc8f873caab1db51c179e9696dda2319fa05c0f2d281f9979e2054fc2

SHA512
b5fe0039e1702375a6e1f4ef7bfb24d0acc42c87d02202a488fccf3d161598549055d2ac0103c95dbbc0e46975aed30259edbfef7ce77d00f1de7c1670c00959

Download Submit
C:\Windows\NvOptimizerLog\icudtl.dat

Filesize
9.9MB

MD5
70499b58dc18e7ee1d7452a1d7a8bc6e

SHA1
41c5382f08c6a88670ce73a20c0dcdb3822f19e9

SHA256
02db39ba465fc8b7a4cd280732760f29911edde87b331bf7cea7677e94d483e0

SHA512
a80939e9809bb7d20f00ad685c94d5c182fa729616c975e605abf09afb58376be73a49fefa35b75ed1a284eccf208af7656c8df44c5959df7eaf51367d232dc6

Download Submit
C:\Windows\NvOptimizerLog\libEGL.dll

Filesize
436KB

MD5
2fe9e551c93156baf537483671ec4ad7

SHA1
08ce2344b2e0a78c2af637f0eae46b948661d5a5

SHA256
f231525ba1ea2522552a722620bced187357d66d945f0cec067c5d858950ea61

SHA512
f93181f1f2268cc380dafef02a93899cb9a19f3287a918bf6ba8eaa69190627d2e2fb0c82b693471e3ca63fbcb07c44212268c1357a5a4cf594a3bd8973eefd2

Download Submit
C:\Windows\NvOptimizerLog\libGLESv2.dll

Filesize
7.5MB

MD5
5967a9234ec54d734b31cfd12cb67faf

SHA1
536840ddb29ead51d43a506fd493b48c436097d6

SHA256
48ec76bac1ff6647096a9532ac21b4a0d7c6c9c24613971aaa201cce452ce4ce

SHA512
cf8e4c3a838b58a568639ab2778800d776e0171dc34e3b82f537adbadceaa3c292240ec7d8561b5a85df3caef6e001a07ac19e280a5bb8b0607f8ba767461479

Download Submit
C:\Windows\NvOptimizerLog\locales\en-US.pak

Filesize
85KB

MD5
6bbeeb72daebc3b0cbd9c39e820c87a9

SHA1
bd9ebec2d3fc03a2b27f128cf2660b33a3344f43

SHA256
ac1cdb4fb4d9fb27a908ed0e24cc9cc2bd885bc3ffba7e08b0b907fd4d1a8c4b

SHA512
66944fb1abcc2a7e08e5fd8a2cee53eb9da57653d7880aea226f25879e26379f7d745ebf62a3518378fa503f3a31b3ea3716f49fe4c7db4f4af0228b81b53a10

Download Submit
C:\Windows\NvOptimizerLog\resources.pak

Filesize
4.9MB

MD5
5507bc28022b806ea7a3c3bc65a1c256

SHA1
9f8d3a56fef7374c46cd3557f73855d585692b54

SHA256
367467609a389b67600628760c26732fc1a25f563f73263bc2c4bf6eec9033df

SHA512
ae698d4feacc3e908981ee44df3a9d76e42a39bf083eaf099442ace2b863f882b43232e26e2c18051ca7aec81dccef5742acc7b82fb0cda2e14086b14d5a9a26

Download Submit
C:\Windows\NvOptimizerLog\resources\app.asar

Filesize
4.6MB

MD5
040a8280b01b5a029e50c5d141d555ad

SHA1
ce103568d6ae6456f1d1d718929b6972c0bad1b4

SHA256
6b6309fe0c4ca9c73626f1435ed3332656d9e6b1e500fb85af0ebf9842813485

SHA512
6706c453509bf718d1870c98a49842743cf2e49d22225a3d33051808a3f1045c7d0c065ecafae75f1bb57b4ef4436aa76774ff6553fddf3739bc47d2e9400ce8

Download Submit
C:\Windows\NvOptimizerLog\resources\app.asar.unpacked\node_modules\electron-sudo\src\bin\libgksu2.so.0

Filesize
68KB

MD5
6dbc4226a62a578b815c4d4be3eda0d7

SHA1
eb23f90635a8366c5c992043ccf2dfb817cf6512

SHA256
0eb70bd4b911c9af7c1c78018742cadb0c5f9b6d394005eaeaa733da4b5766e5

SHA512
3a2836f712ad7048dbeb5b6eec8e163652f97bea521eafcff5c598cbedf062baefaa7079d3a614470ef99ec954dac518224cb3515ca14757721f96412443c7c4

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\ArchitectureAgnosticRegistry.vbs

Filesize
2KB

MD5
310a042dca2144c9cda556e9bc4b0c02

SHA1
d2032af7eea0dbd027a36e577567e85486496949

SHA256
caa82e59ca92629057791cb1e0ba0b74c90f561fac81b029033fc081a83431b0

SHA512
843d9f6f300caba8df41511473c43f4d5029fa0012e593677c83f196c8d595194d1409069fb4b8616e0118f37ba943bbe656b29de40f0ad70997ab610fd98db8

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\regList.wsf

Filesize
985B

MD5
cae7db4194de43346121a463596e4f4f

SHA1
f72843fa7e2a8d75616787b49f77b4380367ff26

SHA256
b65c5af7dbeb43c62f6a5528af6db3cb1ca2a71735a8e7a1451796f834e355c2

SHA512
ccee660cc4878301c743d3ebde4557dc180d8b6f77c97de5e36c95f6e4d2446ef7be28ebc787fdea2f2d817890ac7bdb713196c755a51677dc127cce77670026

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\regUtil.vbs

Filesize
7KB

MD5
77e85aa761f75466e78ce420fdf67a31

SHA1
4470bd4d215d7682828cbc5f7f64993c078b2caa

SHA256
350dea3d6c8e65372f8d12a5fd92a3a46a7519610c69564e8185a2ed66b00d59

SHA512
50af664777545ced78c34a6ea35dae542fdb85b8b307a4a4a95db25a808a695d3fe8840edb36325279c2381fbae071f6b509f7491185cef2f42afcb7672cfd13

Download Submit
C:\Windows\NvOptimizerLog\resources\regedit\vbs\util.vbs

Filesize
4KB

MD5
e2be267c02d51df566fa726fc8aa075a

SHA1
c9b9ae17f36e23d5d3cbbf2d6f17a954bfa87d24

SHA256
b2efd5e0c2f695063a8bce40c8182aa70f33c4b1b77d232b7530d89fb9646f0c

SHA512
b6f80622a9f61f636f7786d91a1b9e06a64602f0898425e90a1a696d0a4855c8c08cbd6e6b98b9a3a1a24de354b26260247953b5273f7d57ea87294b4b142e8a

Download Submit
C:\Windows\NvOptimizerLog\resources\vlc\installer.exe

Filesize
42.4MB

MD5
14becb7840eb1d3d46071d2ee65c7be8

SHA1
ff6e6f9359127f836a03dfc2b8bc9ba651c627c4

SHA256
9737843c119905be767de5e94e398be1eb145b0cc6a5a02f057d4022b80da4d8

SHA512
717289d3b514f4daa6b1cf97705c876bbe89fa215084ba8e1abeef3770e0a620d04127ef8de1f2d89477e1fab355526ed584ed3f9c7ecaf0c7d24a9bceee8248

Download Submit
C:\Windows\NvOptimizerLog\v8_context_snapshot.bin

Filesize
160KB

MD5
b64c1fc7d75234994012c86dc5af10a6

SHA1
d0d562b5735d28381d59d0d86078ff6b493a678e

SHA256
31c3aa5645b5487bf484fd910379003786523f3063e946ef9b50d257d0ee5790

SHA512
6218fcb74ef715030a2dd718c87b32f41e976dd4ce459c54a45341ee0f5ca5c927ad507d3afcffe7298b989e969885ed7fb72030ea59387609e8bd5c4b8eb60a

Download Submit
memory/2860-799-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2860-679-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2860-682-0x0000000074340000-0x000000007434C000-memory.dmp

Filesize
48KB

Download
memory/2860-680-0x00000000746A0000-0x00000000746AE000-memory.dmp

Filesize
56KB

Download
memory/2860-681-0x0000000074690000-0x000000007469B000-memory.dmp

Filesize
44KB

Download
memory/3480-626-0x00007FFCF20B0000-0x00007FFCF2B72000-memory.dmp

Filesize
10.8MB

Download
memory/3480-632-0x000002AADBEC0000-0x000002AADBED0000-memory.dmp

Filesize
64KB

Download
memory/3480-631-0x000002AADBEC0000-0x000002AADBED0000-memory.dmp

Filesize
64KB

Download
memory/3480-637-0x00007FFCF20B0000-0x00007FFCF2B72000-memory.dmp

Filesize
10.8MB

Download
memory/3480-633-0x000002AADBEC0000-0x000002AADBED0000-memory.dmp

Filesize
64KB

Download
memory/4412-494-0x00007FFD16560000-0x00007FFD16561000-memory.dmp

Filesize
4KB

Download
memory/5480-649-0x00007FFCF20B0000-0x00007FFCF2B72000-memory.dmp

Filesize
10.8MB

Download
memory/5480-652-0x000001A9CB4E0000-0x000001A9CB4F0000-memory.dmp

Filesize
64KB

Download
memory/5480-650-0x000001A9CB4E0000-0x000001A9CB4F0000-memory.dmp

Filesize
64KB

Download
memory/5480-653-0x00007FFCF20B0000-0x00007FFCF2B72000-memory.dmp

Filesize
10.8MB

Download
memory/5756-604-0x00007FFCF2000000-0x00007FFCF2AC2000-memory.dmp

Filesize
10.8MB

Download
memory/5756-594-0x0000020C3A4B0000-0x0000020C3A4D4000-memory.dmp

Filesize
144KB

Download
memory/5756-593-0x0000020C3A4B0000-0x0000020C3A4DA000-memory.dmp

Filesize
168KB

Download
memory/5756-590-0x0000020C3A0D0000-0x0000020C3A0E0000-memory.dmp

Filesize
64KB

Download
memory/5756-588-0x0000020C3A0D0000-0x0000020C3A0E0000-memory.dmp

Filesize
64KB

Download
memory/5756-589-0x0000020C3A0D0000-0x0000020C3A0E0000-memory.dmp

Filesize
64KB

Download
memory/5756-586-0x0000020C3A010000-0x0000020C3A032000-memory.dmp

Filesize
136KB

Download
memory/5756-587-0x00007FFCF2000000-0x00007FFCF2AC2000-memory.dmp

Filesize
10.8MB

Download
memory/5756-591-0x0000020C3A430000-0x0000020C3A476000-memory.dmp

Filesize
280KB

Download
memory/5780-656-0x00000178ED2A0000-0x00000178ED2B0000-memory.dmp

Filesize
64KB

Download
memory/5780-655-0x00007FFCF20B0000-0x00007FFCF2B72000-memory.dmp

Filesize
10.8MB

Download
memory/5780-657-0x00000178ED2A0000-0x00000178ED2B0000-memory.dmp

Filesize
64KB

Download
memory/5780-667-0x00000178ED2A0000-0x00000178ED2B0000-memory.dmp

Filesize
64KB

Download
memory/5780-670-0x00007FFCF20B0000-0x00007FFCF2B72000-memory.dmp

Filesize
10.8MB

Download
memory/6024-606-0x00007FFCF2000000-0x00007FFCF2AC2000-memory.dmp

Filesize
10.8MB

Download
memory/6024-620-0x00007FFCF2000000-0x00007FFCF2AC2000-memory.dmp

Filesize
10.8MB

Download
memory/6024-608-0x0000017FFE3C0000-0x0000017FFE3D0000-memory.dmp

Filesize
64KB

Download
memory/6024-607-0x0000017FFE3C0000-0x0000017FFE3D0000-memory.dmp

Filesize
64KB

Download