hijackloader | hxxp://vdeck[.]io

Analysis

max time kernel
195s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://vdeck.io

Score

10^/10

hijackloader stealc cloregod28 credential_access defense_evasion discovery execution loader spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

cloregod28

http://45.156.27.45

Attributes

url_path
/dc0de592dc0f725c.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3176-3925-0x0000000000B70000-0x0000000000C96000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4448 powershell.exe
2800 powershell.exe
1804 powershell.exe
208 powershell.exe
Downloads MZ/PE file

pid	process
4448	powershell.exe
2800	powershell.exe
1804	powershell.exe
208	powershell.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Program Files (x86)\VDeck\VDeck.dll	net_reactor

Executes dropped EXE 5 IoCs

Processes:

VDeck Setup.exeVDeck.exesnss1.exesnss2.exesnss2.exe

pid process

1148 VDeck Setup.exe
884 VDeck.exe
3176 snss1.exe
3996 snss2.exe
1132 snss2.exe

Loads dropped DLL 57 IoCs

Processes:

VDeck Setup.exeVDeck.exeexplorer.exesnss2.exe

pid	process
1148	VDeck Setup.exe
1148	VDeck Setup.exe
1148	VDeck Setup.exe
1148	VDeck Setup.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
884	VDeck.exe
1976	explorer.exe
1976	explorer.exe
1132	snss2.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

snss1.exe

description pid process target process

PID 3176 set thread context of 2216 3176 snss1.exe cmd.exe

description	pid	process	target process
PID 3176 set thread context of 2216	3176	snss1.exe	cmd.exe

Drops file in Program Files directory 64 IoCs

Processes:

VDeck Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\VDeck\System.Collections.Immutable.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Net.WebClient.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\pl\System.Windows.Forms.Design.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Data.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Diagnostics.FileVersionInfo.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Formats.Tar.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\hostpolicy.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\de\System.Windows.Forms.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\es\Microsoft.VisualBasic.Forms.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Diagnostics.EventLog.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Diagnostics.StackTrace.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\fr\System.Windows.Forms.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\it\System.Windows.Forms.Primitives.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\zh-Hans\System.Windows.Forms.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\zh-Hant\System.Windows.Controls.Ribbon.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Globalization.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\ja\System.Windows.Forms.Design.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Console.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Drawing.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Security.Cryptography.Algorithms.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\cs\PresentationCore.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Linq.Queryable.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Runtime.CompilerServices.VisualC.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\WindowsFormsIntegration.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\es\PresentationFramework.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\zh-Hans\WindowsBase.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Collections.Concurrent.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\pt-BR\ReachFramework.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Runtime.Serialization.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Runtime.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\mscorlib.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\fr\System.Windows.Controls.Ribbon.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\pt-BR\PresentationCore.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.CodeDom.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Threading.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Xaml.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\cs\System.Windows.Input.Manipulations.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\fr\PresentationUI.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\pt-BR\PresentationUI.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.IO.Pipes.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Xml.XDocument.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\es\System.Xaml.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Net.NameResolution.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\clrgc.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Runtime.CompilerServices.Unsafe.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\it\System.Xaml.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\tr\UIAutomationTypes.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\zh-Hans\ReachFramework.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\zh-Hans\WindowsFormsIntegration.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\PresentationNative_cor3.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Private.Xml.Linq.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Reflection.TypeExtensions.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\mscordaccore_amd64_amd64_8.0.23.53103.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\de\System.Windows.Forms.Primitives.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\pt-BR\System.Windows.Input.Manipulations.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\ru\WindowsFormsIntegration.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\PresentationFramework.Aero2.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.IO.FileSystem.Primitives.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Security.AccessControl.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\ko\WindowsFormsIntegration.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Runtime.Loader.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Xml.XPath.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Net.Sockets.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Security.Cryptography.Pkcs.dll	VDeck Setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\VDeck Setup.exe:Zone.Identifier firefox.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\Downloads\VDeck Setup.exe:Zone.Identifier	firefox.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

VDeck Setup.exesnss1.execmd.exeexplorer.exesnss2.exesnss2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VDeck Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss2.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exeexplorer.exefirefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\VDeck Setup.exe:Zone.Identifier firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\VDeck Setup.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesnss1.execmd.exeexplorer.exe

pid	process
1804	powershell.exe
1804	powershell.exe
1804	powershell.exe
208	powershell.exe
208	powershell.exe
208	powershell.exe
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe
2800	powershell.exe
2800	powershell.exe
2800	powershell.exe
3176	snss1.exe
3176	snss1.exe
3176	snss1.exe
2216	cmd.exe
2216	cmd.exe
2216	cmd.exe
2216	cmd.exe
1976	explorer.exe
1976	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

snss1.execmd.exe

pid process

3176 snss1.exe
2216 cmd.exe

pid	process
3176	snss1.exe
2216	cmd.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

firefox.exeVDeck Setup.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1936	firefox.exe
Token: SeDebugPrivilege	1936	firefox.exe
Token: SeDebugPrivilege	1148	VDeck Setup.exe
Token: SeDebugPrivilege	1148	VDeck Setup.exe
Token: SeDebugPrivilege	1148	VDeck Setup.exe
Token: SeDebugPrivilege	1148	VDeck Setup.exe
Token: SeDebugPrivilege	1148	VDeck Setup.exe
Token: SeDebugPrivilege	1148	VDeck Setup.exe
Token: SeDebugPrivilege	1148	VDeck Setup.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1936	firefox.exe
Token: SeDebugPrivilege	1936	firefox.exe
Token: SeDebugPrivilege	1936	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	process
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

firefox.exe

pid	process
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

firefox.exeVDeck Setup.exeVDeck.exesnss1.exesnss2.exesnss2.exe

pid	process
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1148	VDeck Setup.exe
884	VDeck.exe
3176	snss1.exe
3996	snss2.exe
1132	snss2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4728 wrote to memory of 1936	4728	firefox.exe	firefox.exe
PID 4728 wrote to memory of 1936	4728	firefox.exe	firefox.exe
PID 4728 wrote to memory of 1936	4728	firefox.exe	firefox.exe
PID 4728 wrote to memory of 1936	4728	firefox.exe	firefox.exe
PID 4728 wrote to memory of 1936	4728	firefox.exe	firefox.exe
PID 4728 wrote to memory of 1936	4728	firefox.exe	firefox.exe
PID 4728 wrote to memory of 1936	4728	firefox.exe	firefox.exe
PID 4728 wrote to memory of 1936	4728	firefox.exe	firefox.exe
PID 4728 wrote to memory of 1936	4728	firefox.exe	firefox.exe
PID 4728 wrote to memory of 1936	4728	firefox.exe	firefox.exe
PID 4728 wrote to memory of 1936	4728	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3844	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3920	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3920	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3920	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3920	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3920	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3920	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3920	1936	firefox.exe	firefox.exe
PID 1936 wrote to memory of 3920	1936	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://vdeck.io"
1⤵
- Suspicious use of WriteProcessMemory
PID:4728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://vdeck.io
2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27b3213c-953a-418f-ab28-0d768d661e56} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" gpu
3⤵
PID:3844

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20240401114208 -prefsHandle 2292 -prefMapHandle 2296 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37c6ade1-a894-4e64-bfba-d0d89c45c005} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" socket
3⤵
PID:3920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2976 -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 3232 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6728486f-31b7-4d89-a86d-8b2a4f9041d9} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab
3⤵
PID:2884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 2796 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eed24deb-d900-4b9a-8d32-31615ca306ed} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab
3⤵
PID:4460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4232 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9c3fc24-308f-4baf-a581-712cd53157fc} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" utility
3⤵
- Checks processor information in registry
PID:4868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba7027cb-58f4-4466-9f94-fa74f38fc202} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab
3⤵
PID:1276

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {358aecbc-df25-4fcf-9745-de80cf78a293} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab
3⤵
PID:3796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 5 -isForBrowser -prefsHandle 5716 -prefMapHandle 5720 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9eae265-a024-47c5-945a-9095e68b0ac9} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab
3⤵
PID:3044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 6 -isForBrowser -prefsHandle 5956 -prefMapHandle 6012 -prefsLen 27174 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f684e917-8134-4399-8119-f26b6f005b80} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab
3⤵
PID:4348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3632 -parentBuildID 20240401114208 -prefsHandle 5152 -prefMapHandle 6364 -prefsLen 33704 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48e90d6f-d911-42f5-bc55-3af0e4e5a993} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" rdd
3⤵
PID:3564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6336 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6496 -prefMapHandle 6492 -prefsLen 33704 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dad50136-da5e-437e-8d37-59e042d44525} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" utility
3⤵
- Checks processor information in registry
PID:1932

C:\Users\Admin\Downloads\VDeck Setup.exe
"C:\Users\Admin\Downloads\VDeck Setup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Program Files (x86)\VDeck\VDeck.exe
"C:\Program Files (x86)\VDeck\VDeck.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Users\Admin\AppData\Local\Temp\76440f98-d87b-40ac-8567-9860f145bd6f\snss1.exe
"C:\Users\Admin\AppData\Local\Temp\76440f98-d87b-40ac-8567-9860f145bd6f\snss1.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2216

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
7⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Users\Admin\AppData\Local\Temp\76440f98-d87b-40ac-8567-9860f145bd6f\snss2.exe
"C:\Users\Admin\AppData\Local\Temp\76440f98-d87b-40ac-8567-9860f145bd6f\snss2.exe"
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Windows\Temp\{289B998E-4A6E-45FB-96CC-9093F65E29C3}\.cr\snss2.exe
"C:\Windows\Temp\{289B998E-4A6E-45FB-96CC-9093F65E29C3}\.cr\snss2.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\76440f98-d87b-40ac-8567-9860f145bd6f\snss2.exe" -burn.filehandle.attached=568 -burn.filehandle.self=240
6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VDeck\Accessibility.dll
Filesize
20KB

MD5
fb554f9fe0b91f135d26ac6459cfd6f2

SHA1
b1269a2c28bded872b14fe70b69484631ef3a65d

SHA256
929ea150ad45b7c7dd5427461fbec44d43b67c08081f59b42b6abf570feae271

SHA512
8dffde6cddfc59ec380111fd36048126559e1f1e080c081ca0d09021bb23d6888e93e1659c7b3a8fa46f76602b03cf3e638ec1a80fba79e51648dcb32362e10c

Download Submit
C:\Program Files (x86)\VDeck\Microsoft.Win32.Primitives.dll
Filesize
15KB

MD5
300c95ff95b52e8a02fec6bfcfa58225

SHA1
b646f89fcd463ad5c19889b4fea40540568b780c

SHA256
f1b40565e5c4c41da810aee5b7d2272a0906e88f796812435aa5ed712bcac40c

SHA512
9bfe0eb6eea98b2d35aa42986a273ec82424143965e173b32bb4b7e5537580a027940a6952a45fc54f0b665e871deb2a95651106c2f24c7de3b3d3cd2dec7e89

Download Submit
C:\Program Files (x86)\VDeck\System.Collections.Specialized.dll
Filesize
102KB

MD5
cc26e9e30ffab763a1e54c0ef3713382

SHA1
c3be6646b7a4576ebd7729dbf4dccbd1fc159d51

SHA256
0cbabb81eae22f4c07c6c846054d207ae3f25da15649eb7fa29e4e2cecd24db4

SHA512
c8e57fb70cfa7667f9a5484c99eedd0bf34004ee26e9642e99a6b90624caa804af571d8aaafa7e9b121550af58205f8ed197b4ddb928210d394ff0b4c1897149

Download Submit
C:\Program Files (x86)\VDeck\System.Collections.dll
Filesize
254KB

MD5
92063926c04f2e4bf5b5fde16542831d

SHA1
e7be34eaff2d3d8796911d21f1fdbb93bf231dec

SHA256
9193aaef3ea8f19408f88c25fcaf5880e7836d1c35028d7e4077f6090b083541

SHA512
e855ee37980d1da2d143ee39133b05fff81937e529cffe74433e73088549daabd3abadbf05f3765bf3ffffd50313f0ed966efec0eb244d7363241affd73cc29f

Download Submit
C:\Program Files (x86)\VDeck\System.ComponentModel.EventBasedAsync.dll
Filesize
46KB

MD5
333639248121fb67d18323613a8203ea

SHA1
0cee5f7d46596239b833b3b30dccde27b0136959

SHA256
4c97d7bc0742faaa52ba86018b040aac44ddfc88a5835f9e6a659e03b4558999

SHA512
714fcb7299abcb26100b5f4103834c11c58f535ee9853fca2bcb22f43a3d1e7608d6ccae2dcc93d1687a4f1c8b521afe683d537f70f858681e62fff2d79c4acb

Download Submit
C:\Program Files (x86)\VDeck\System.ComponentModel.Primitives.dll
Filesize
78KB

MD5
1c59c00ab0850af4b4d2bafd6be47db3

SHA1
4c6185b2f42987e25a5fdf2aa30cf4150de25d5b

SHA256
133ec34432ab8fa4f63ade636193864b6a62a089a0c98d746f5532c8a52f437b

SHA512
8425c02c4afb274e862e4ed5dd1c766ebfa1bcf5bf59018d86238014a52603331a8b7c1e233f5a1f22171e90132ddd585db0d2561ff2cd287d703397afdff4b1

Download Submit
C:\Program Files (x86)\VDeck\System.ComponentModel.TypeConverter.dll
Filesize
726KB

MD5
f6f78df8a3ef64639ac0cb7de24ed66b

SHA1
384422c0ceb6bb6870c4f7d9074e9c78d33e4c0c

SHA256
88129c110d748f7c8ef8a923f68cd26d39e0505b49bf5cc10cbd23b92f1a00a3

SHA512
ed63f75e3477196b5308c42f259c0294a29ef5edf6eb0df4f8268be3f0495b9cfd8ca3467bc1574db142571c368940468bb84d14c26aaccacd6eee66ddd98403

Download Submit
C:\Program Files (x86)\VDeck\System.Diagnostics.FileVersionInfo.dll
Filesize
46KB

MD5
1daf75cc369569182bbdb664eb8cb4c7

SHA1
ec0ff43694f0027a469d31221b591bff2ef29d69

SHA256
92ae8401342fd8484e749c65a7726a0f5bff69346ad4e96026bfa063ff567b8b

SHA512
9d0ee9b59354f721136a1631e46d395b763f755b212e44daea5c62a91b4c5edfd218587c8aa56db27f7efc7b9678c59ea822964f279a7837aa5e12f46be4e79b

Download Submit
C:\Program Files (x86)\VDeck\System.Diagnostics.StackTrace.dll
Filesize
46KB

MD5
70c0d0120a96a30c980414f44bfe9d5e

SHA1
ad158543ae92c9b47e6290bab86b4cb5511b7029

SHA256
318eb3af0fda576d8094404185690b9570d576ea56e85c47251769c09de8035c

SHA512
42e9e048668b491a7fce4d5da6a2690f386c9d4d847b7ce0b2c70f743f615dc9917eafa5cc3d94f4e5803abe65d892c4f89d88ce8531b7d3c2b8c536d7d224da

Download Submit
C:\Program Files (x86)\VDeck\System.Diagnostics.TraceSource.dll
Filesize
142KB

MD5
fe6a4b96e144131788108c8396a849eb

SHA1
40e6e5d03cfe036645ae854d5a2262faec6bed32

SHA256
22365ee4e3ba3c991d495e41f92e29bf6ddb38a48c44f55651271b80ee62b6d1

SHA512
61644c0e970dd6a6ff697b110bf99962931dd94deda5a966ea0fded3d23cba7433b802656295e04f1a95421774ea3c838f0a642d26b5e46ae6c05becb52eb7f1

Download Submit
C:\Program Files (x86)\VDeck\System.Drawing.Common.dll
Filesize
1.5MB

MD5
e4715322db624dc52947a42ac67757ab

SHA1
ba0b0850142ecc3910927d6f2e5781b896d7d442

SHA256
75b1e772a4355145364121af00e5b5cf06c7212aa53d662fdc996bc11e8092a9

SHA512
3c86d44eb209a3a1f2001968a2b139e532a0513fd2decff04aa1bf8b30b6202c70fc0e7ac8b22ace563023671259cd74cf65062132e7f1b97d3580621686b05a

Download Submit
C:\Program Files (x86)\VDeck\System.Drawing.Primitives.dll
Filesize
130KB

MD5
b5ca10a41cc865048491f617678722a9

SHA1
afe171d9d676b78983b802e18ef8e00927073c64

SHA256
cbe9fbb1d1e4850460854474ffd8c01ddcc756dcb33a86d1674c0cb2e2a0b026

SHA512
2afdce56b7eec6deb82f8b2d5ec3029b5a0ee1e8bbf2e0ff9a0a5310bf265ddcdf63660546b4dbcc3c5fb0cba3cbb94f2408fe5cb4d14dbe0e74aba6dd5a2192

Download Submit
C:\Program Files (x86)\VDeck\System.IO.Compression.Brotli.dll
Filesize
82KB

MD5
4cde4fcd6f41f0d6d400c1d66f391538

SHA1
7c4a13f37c8d20fbe60c5b612107bd0242b68e26

SHA256
51bc8800f8579a14d1edf0f650c9a5d828ef9d96532d7dd304a4394fa9cfd641

SHA512
d7b444ec7f230c3104fdd98c60af9de998a85e622e0c8ce3471a3809d9ba8bb368d7827800fb177ac97f0ce3feb3ad2292a77d41b8c36bc99b2df1263feb8735

Download Submit
C:\Program Files (x86)\VDeck\System.IO.Compression.Native.dll
Filesize
809KB

MD5
68deb864299c12cd26aea44c39aa665b

SHA1
03613118a674e115c23b3eae354805e9e41bb34c

SHA256
1d58d2b17d468651e17870876029dbd3f68d6ba74b18a75f148581eaddc9c1b1

SHA512
4ad6b2c38338469de0f0247152f773f6886ea5396aca5cbc178dc2e894aeccc1296fd02ffec1d1a266bc548a490a8afc5ba383087bd89567957980472318ccad

Download Submit
C:\Program Files (x86)\VDeck\System.IO.Compression.dll
Filesize
258KB

MD5
e11feb9fb874d60b76c2ad7a5fef7ac8

SHA1
e7622bad558fd695442b3ecfeea8f706601c0310

SHA256
3f5083bf4404c5969557e6c19a5b87d7db5bef2ee10fd86d775b6a96b357232a

SHA512
dd3e75b0a86ee2240ebf37d728f467b11fd4a25e4b7fdbc8f4c5b4180bcd0e8c1a1695f5cb72133da428f791cb922699cc3a325e05c44bd7931c141b07504587

Download Submit
C:\Program Files (x86)\VDeck\System.Memory.dll
Filesize
154KB

MD5
7e999da530c21a292cec8a642127b8c8

SHA1
6585d0260ae98bab2ad1eaba0f9cfe8ebb8a0b3f

SHA256
3af25e0c81c1462d0db86f55c4e5fd8c048c70685f9a566d29d499bc46935fb4

SHA512
a18b6649b5c2f9f96bf639863df9faad436759200a64f91fb2d955f33c71ce4b2d5798be982f692a247ac864d8acb63fb731b31c06333e5c7d9a9c895ecd6451

Download Submit
C:\Program Files (x86)\VDeck\System.Numerics.Vectors.dll
Filesize
15KB

MD5
b7adf99da15738c602df256e8a1aac4a

SHA1
ff98005dfcf40f876b618a599f227397f36915df

SHA256
2466f7df763b191a6b4a536eae1016394d81e175fc53cefe56b8ce27459412af

SHA512
8eb34d00f8149d688bd5efe2ffdc834f669fa8c30d4c265814647de78a55502805104ccc3682010b246d26d805004b188ab19ad59fc2e866103bbe191e2225ad

Download Submit
C:\Program Files (x86)\VDeck\System.Private.CoreLib.dll
Filesize
12.6MB

MD5
805cf170e27dd31219a6b873c17dce88

SHA1
ac90fa4690a8b54b6248dcb4c41a2c9a74547667

SHA256
ba7e61a00e7a4634b5c5a79b83126f75580ceec235c613000c3efbc01826cad0

SHA512
fa946aae906b66cb5570155a1c77340f2b6d4efb9be16068da03a8f1c5b5f37ad847d65cd1416017db19375dc6a72670300da4c766e6d9bb1a00374f492bd866

Download Submit
C:\Program Files (x86)\VDeck\System.Runtime.InteropServices.dll
Filesize
94KB

MD5
49c86e36b713e2b7daeb7547cede45fb

SHA1
75fe38864362226d2cce32b2c25432b1fd18ba37

SHA256
756de3f5f2e07b478ac046a0ac976b992ef6bc653a1be2bb1e28524a4ff8d67d

SHA512
a9bd42b626158c540be04f8d392620daba544a55b7438d6caefe93b9df10ec2219f28959c4e0d706a86b92008275de94dfdf19de730787cdacf46d99fc45e3a9

Download Submit
C:\Program Files (x86)\VDeck\System.Runtime.dll
Filesize
42KB

MD5
53501b2f33c210123a1a08a977d16b25

SHA1
354e358d7cf2a655e80c4e4a645733c3db0e7e4d

SHA256
1fc86ada2ec543a85b8a06a9470a7b5aaa91eb03cfe497a32cd52a1e043ea100

SHA512
9ef3b47ddd275de9dfb5ded34a69a74af2689ebcb34911f0e4ffef9e2faf409e2395c7730bce364b5668b2b3b3e05a7b5998586563fb15e22c223859b2e77796

Download Submit
C:\Program Files (x86)\VDeck\System.Security.Cryptography.Csp.dll
Filesize
15KB

MD5
c7f55dbc6f5090194c5907054779e982

SHA1
efa17e697b8cfd607c728608a3926eda7cd88238

SHA256
16bc1f72938d96deca5ce031a29a43552385674c83f07e4f91d387f5f01b8d0a

SHA512
ae0164273b04afdec2257ae30126a8b44d80ee52725009cc917d28d09fcfb19dfbbb3a817423e98af36f773015768fed9964331d992ad1830f6797b854c0c355

Download Submit
C:\Program Files (x86)\VDeck\System.Security.Cryptography.dll
Filesize
2.0MB

MD5
75f18d3666eb009dd86fab998bb98710

SHA1
b273f135e289d528c0cfffad5613a272437b1f77

SHA256
4582f67764410785714a30fa05ffaaad78fe1bc8d4689889a43c2af825b2002e

SHA512
9e110e87e00f42c228729e649903ad649b962ae28900d486ee8f96c47acca094dbace608f9504745abf7e69597cdef3c6b544b5194703882a0a7f27b011fa8d5

Download Submit
C:\Program Files (x86)\VDeck\System.Threading.Thread.dll
Filesize
15KB

MD5
72d839e793c4f3200d4c5a6d4aa28d20

SHA1
fbc25dd97b031a6faddd7e33bc500719e8eead19

SHA256
84c9a95609878542f00fe7da658f62d1a6943a43e6346af80d26bcff069a4dbd

SHA512
a414cd9d7cf6a04709f3bdbef0295349b845a8301171ed6394e97b9993f35816383b958736c814f91c359a783cca86ee04802856486d4b4e0ab90a45da39db1d

Download Submit
C:\Program Files (x86)\VDeck\System.Threading.dll
Filesize
82KB

MD5
32aa6e809d0ddb57806c6c23b584440e

SHA1
6bd651b9456f88a28f7054af475031afe52b7b64

SHA256
e8d1f5c422ee0ba3b235b22028ab92dc77c1ff9774edc0b940cad7224a30ba7d

SHA512
fe43b3d6ed5c37d59a44636d3c7522a88d83e6ec074bf69d3cbb6e5454fdd8f0523ea10fdf6fd452cbd0e2fc159cf9d03dfad6b30e80e400e7f1773b5a2e8632

Download Submit
C:\Program Files (x86)\VDeck\System.Windows.Forms.Primitives.dll
Filesize
2.9MB

MD5
8129c2d72bcba8b50576e7c43e558832

SHA1
f4892f78d2496f3a2e1fa2380ff68fbeb62e2dca

SHA256
5794a3996a0b4ab9cb13f3de0f87d50462615a7d0eb1d243d9324a682c1b58cb

SHA512
40fafbf9590d2b2c8f487f44708e9e97ddce03b1487be5c7cb3d4c92bdb7100a98aebada379f63003f0dd9d447ee2b0b9dfa0b057320ac05f7f77b31c5ffa97d

Download Submit
C:\Program Files (x86)\VDeck\System.Windows.Forms.dll
Filesize
12.9MB

MD5
a51632facb386d55cc3bc1f0822e4222

SHA1
59144c26183277304933fd8bb5da7d363fcc11fa

SHA256
efc52dbbef5202d9ff424d7adc6e2249b66450a5fd5414891776fc617b00123e

SHA512
2a8d8e2ee8168e6f79476616385320f463ebc161c7393db2b18a7d35ca0111c5100b83954c5eabfe32b12cac3dbfdc514271dde4cc4468dd26235eb7020d9c14

Download Submit
C:\Program Files (x86)\VDeck\VDeck.dll
Filesize
547KB

MD5
e40435c83bd20baceaf366715681802a

SHA1
44b58c1df66799c3e03d95c43bd98cac672c1b44

SHA256
59f0ddfd450a4280f7f0b63f5c9d2b92bc40680762d9390bb94786ca2ca7ab27

SHA512
caacb3c9a3990fb3d339250ba90e89168966f0fa645fe5bd09297fb44016f8c81edff2419ca8804f7f27250f764dc75fd6ff4f6adc4e505a4a7538d36382be36

Download Submit
C:\Program Files (x86)\VDeck\VDeck.exe
Filesize
337KB

MD5
b49848e297488ef03b44c4c4b197472d

SHA1
440255ca9282f7e2667a7bd0b27b8d2bdc4c1db3

SHA256
35be11ddfa4f1d776f0b6b814a325f50189100222fe04436a50563c89c2a02bd

SHA512
3515e6775862b0d66a206c24fa4916b2de208fe3cd0c7aec4e24d6d940a391f9d32a489642a32efafaa9c87b15fbbd4c462320797693705db50a85a2f523f655

Download Submit
C:\Program Files (x86)\VDeck\clrjit.dll
Filesize
1.7MB

MD5
8b81a3f0521b10e9de59507fe8efd685

SHA1
0516ff331e09fbd88817d265ff9dd0b647f31acb

SHA256
0759c8129bc761fe039e1cacb92c643606591cb8149a2ed33ee16babc9768dcb

SHA512
ea11c04b92a76957dcebe9667bef1881fc9afa0f8c1547e23ada8125aa9e40d36e0efaf5749da346ba40c66da439cbd15bf98453e1f8dab4fe1efd5618fdc176

Download Submit
C:\Program Files (x86)\VDeck\coreclr.dll
Filesize
4.8MB

MD5
9369162a572d150dca56c7ebcbb19285

SHA1
81ce4faeecbd9ba219411a6e61d3510aa90d971d

SHA256
871949a2ec19c183ccdacdea54c7b3e43c590eaf445e1b58817ee1cb3ce366d5

SHA512
1eb5eb2d90e3dd38023a3ae461f717837ce50c2f9fc5e882b0593ab81dae1748bdbb7b9b0c832451dfe3c1529f5e1894a451365b8c872a8c0a185b521dbcd16b

Download Submit
C:\Program Files (x86)\VDeck\hostfxr.dll
Filesize
342KB

MD5
16532d13721ba4eac3ca60c29eefb16d

SHA1
f058d96f8e93b5291c07afdc1d891a8cc3edc9a0

SHA256
5aa15c6119b971742a7f824609739198a3c7c499370ed8b8df5a5942f69d9303

SHA512
9da30d469b4faed86a4bc62617b309f34e6bda66a3021b4a27d197d4bcb361f859c1a7c0aa2d16f0867ad93524b62a5f4e5ae5cf082da47fece87fc3d32ab100

Download Submit
C:\Program Files (x86)\VDeck\hostpolicy.dll
Filesize
388KB

MD5
a7e9ed205cf16318d90734d184f220d0

SHA1
10de2d33e05728e409e254441e864590b77e9637

SHA256
02c8dbe7bf1999352fc561cb35b51c6a88c881a4223c478c91768fdaf8e47b62

SHA512
3ecbaf20946e27d924a38c5a2bf11bac7b678b8c4ebf6f436c923ea935982500e97f91d0e934b7fd6b1fc2a2fd34e7d7b31dbbe91314a218724b3b2fd64c4052

Download Submit
C:\ProgramData\BAAAAKJKJEBGHJKFHIDG
Filesize
15KB

MD5
919926e593fdf07881b240565f96fc4d

SHA1
a72a6b3e618f9707523d82316b36d78fb4c4fb86

SHA256
4e2106d3a335cdbbcbf99330ac86cee5bd160c2b7d903c1d586300ce4d7f281c

SHA512
192f6a1957f6d465d0f7e758347af9154289d7400e80fe222b8b6a0ead553327d96b4b3d041585a7ccb296c74101e85bb18d7f6a37ad4f1c1f61c542f44cc448

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\activity-stream.discovery_stream.json.tmp
Filesize
19KB

MD5
017978b16260e01fdce2e40c5b39c7a7

SHA1
ca4953cee2afbd268177aa720589b066fbd2afbe

SHA256
ca5b90544a5fb53772bdab7962a82b68ad962e22b996b86dc51dca9b0bb33c08

SHA512
af99ce8816fa2315f6d527eb81edb4e231ea130bcb96cb08784ab32fc6479d8589b5e56ba2ff53fe1629e23ed5229e38ea5928fb8483d98bf14105f8124899ff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D
Filesize
13KB

MD5
4599d622fd7755a5177304712d65281c

SHA1
4313db0c624beb7c1d8aa3e7710b8f4354f3f57f

SHA256
f4a8317bbedfd398c64243b80ced80a48b421bfff2a40ae4c50edc13d653651c

SHA512
d4f03b4d969bb1e7cb5fa5fd9bec9068c8bbf9c42a4baaa929083daecfe1701a53c41dea558ce9d75f4e1a093f1d2a6fa7f903e7808f886ec331a8545b929334

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rsto41uf.crx.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3F34.tmp\InstallOptions.dll
Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3F34.tmp\LangDLL.dll
Filesize
5KB

MD5
50016010fb0d8db2bc4cd258ceb43be5

SHA1
44ba95ee12e69da72478cf358c93533a9c7a01dc

SHA256
32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

SHA512
ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3F34.tmp\System.dll
Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3F34.tmp\ioSpecial.ini
Filesize
1KB

MD5
8c36e917bf388dbb11ea532629f7e890

SHA1
8cb490055f3a42052037ce7c44ced2d4f3659afd

SHA256
84bf1f41321d96ef3de4706475fade1b6e84a4447e37447f4fcfddb4281a34f4

SHA512
890af3e8775104113e995903a96f39a0a5c04a7c43604f3a476acb851c1fb992d4e76c132af1f653a9901e39c39745614aef74e125200e8dc815f48da1c3e4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3F34.tmp\ioSpecial.ini
Filesize
1KB

MD5
271d13409b809eceb91b415ab63eb8b3

SHA1
743bbdc354749f9da8fc1d4ab01dd163496f0400

SHA256
bf71af2a3bf7b1ad79e3999b32e9ad4aacd9efb24745c5bf12f3c8a1c71c407e

SHA512
0f95780e1d45f447548f31f45fd8262d8556f8406c5d4318c7f430b0e3f9cfcffaa05ca5af191e751c49de97c57d7d806c1a526366c4c6b6011c7e7c627209ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3F34.tmp\ioSpecial.ini
Filesize
1KB

MD5
d4c8601713c762c523a57945754602fd

SHA1
ba66608ba7c7589bf31e84937200339e084d6b30

SHA256
6efa72c3f093c6a644ef75afcd6525643f6bf8bf339be1ad8488ebefd978288b

SHA512
bae33a3172cc6f2bf6c9988a8ec07765c07c33de8621505a42934151abfc56aaa22a9218190f350e1558eb618a42d55d097396483a058ccee742705efbe33b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\AlternateServices.bin
Filesize
8KB

MD5
72fdc70afb85f0ebca0c5d8de6cc4f7b

SHA1
70307093d939fdc9057976bd51d62bc5eaca03b6

SHA256
c13bcda6aa0f8bf37f085180ea36d71cd818cec09e3c5e15e905ff7000a283e5

SHA512
eb8bb1e5753760451bb2439a8ec2c0d85f09e2e546ef53118f39e81c87a272cb5a8aa6110696c0fb866a45cf728a5caa9177c5fc2e0805e06d3cd4dc56adc2c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\datareporting\glean\db\data.safe.tmp
Filesize
15KB

MD5
cd3f1af6c98a846c977c9972012c1053

SHA1
eea478782d7876070772595cd76e461ecd2031a7

SHA256
5b625d168893f71528915c0fc73c22e27567f5f2d9aaa5889339f5872afb17bd

SHA512
066123f660b5eab09a8c6b44147a61d3496b159d118afa56295952d4b4cb7bc5ce40df504346bb602cae819f59e43ea30a06470964242e82636bc86b5ece1009

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\datareporting\glean\db\data.safe.tmp
Filesize
6KB

MD5
76fa750a9ae087b1f94b5b6fc0e4e47f

SHA1
78376c4b30a75c8f2974bcbb0af916179f54b02f

SHA256
39c1ed65292f9e03ae6684a5fc42aaffd6f70c710ed85b0b4fd1fb67a01659df

SHA512
1ab0027a818b67494882b1b41b5957c1fa0f05f6ab926a36fa61ba46f3c9b045ad1f3bd6cfb5b6ce3fe873e528ad664b4a306e0f672a2b71c9fc0f39a54a45a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\datareporting\glean\db\data.safe.tmp
Filesize
5KB

MD5
e8b5940a1a3b82746a25350cc0847787

SHA1
1fe8ef72b8aaeccf4bcd4dbfa15ccf87b277b073

SHA256
5ed9594fe97f1144f83f154f2c0f37a842bb7e646ba4f9ca2300b27cbc42b40c

SHA512
05f9c6743e76245feaf717b9d5673ede4bbfb9fae344c006fef47a578c5920e698e0b330a821f71b61ff30f880d7b97986e60befb4e648829997df28b85c252f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\datareporting\glean\pending_pings\1712f70e-26de-4a70-a331-8df4f528a0a8
Filesize
28KB

MD5
0245245cfbe045de449f98de1c9d8b3f

SHA1
6971da0270add32fdf6effdc8bec6e055b9936f2

SHA256
0893a347d8b2af2d5e584717e163cc0a221d543fb0dfe3ca87af138eb054fa1c

SHA512
0c4f57727194b9655aab6c61bceb081a6ed1b4f2a06efbebc0f9edc77370e30ac0a66460e35de68cfb501f6b957602955d97bec6d45785fce49b920aa2922a35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\datareporting\glean\pending_pings\60902b22-39ee-4d64-a9cd-2ad24199daca
Filesize
671B

MD5
aa7d87e6aaa26a6f388a5729268617b5

SHA1
c5a22e19db87d9699a7537ea1b16194f7d231622

SHA256
83b8d9778bb95e9b608aa0dfae8b14944c994972152e9fa511d6db89ab4264c7

SHA512
a0802dd8e5850ee6a96a8bb91abc8d7ae86cd7b23d41e4555abe834645f187feebeab1671dd0ca76159e3d37920b3964a45f9605a35f8638a69603255e012608

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\datareporting\glean\pending_pings\9350e513-1f18-450e-8d84-192b2489cc54
Filesize
982B

MD5
d79926669394233d6db37292a92de7a4

SHA1
3ea77f37318e793d387e29d970ea1b7014579197

SHA256
9f81e84b1c8292e3de3477a910a1ef897b4c4d29440de4a74843b659d8602340

SHA512
4ef5d1a661c7b1052b009b969d99ec36cf52bc2fbd83d2854ad60d9234a75b93acf1eca19aa575826b181dfc274d44a4800561edf831b2464ad09479ff350fd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\prefs-1.js
Filesize
15KB

MD5
88d56c8c22fe87b910ff468f1ac96749

SHA1
bc10501baead156660d4baf7e28732d7a41b6cd8

SHA256
8d93d57443dfbf5a4f2a138ab0fe0ab0c9fd010d053362000f2638bbec28b873

SHA512
2eebb7a7d6ed7d017f62724f8110ec554631301be4d14444fdccfe557c99fe39641217d5f8ffa9c59a08459f212c661958ed266da346f597bbb59f441122ae0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\prefs-1.js
Filesize
12KB

MD5
0cd943366acd2d4f7bbf8019ce809556

SHA1
cabb857625e3ef4639de88a90f430b5e7ffe9f17

SHA256
2da2003a608cda9d7afdf96039493053c3b1dfb3b7b472e39203ecc174d20851

SHA512
e5794b02ca46687953b562faea98b14beed376e650f91ee465af10d614dda104133eda48390790468cccf7b3b641d1f3e1d3dd94f3571e2395af5bf7a5f52310

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\prefs.js
Filesize
10KB

MD5
5fd112d12db71b35873a0b73332e3e57

SHA1
48a8ff7ea0abe78c0bb35962c7a862ed10250f32

SHA256
2dd6a92ef51638330772bf33aea92d184af9f079f2c64055f717bf45ddef586a

SHA512
53542b950fa8afbe20db0a438325ccb9526031e48bf5bd0f4c702515bbf9155cc6793e8d869445717947f79979c8666127fca0ebd138d5e59e5ac04b8eb86770

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\prefs.js
Filesize
10KB

MD5
3126ee8f59cd6bc5d0b367a5b51c0f36

SHA1
11be1b07ca908efa4827bd23b997f0285f2a15b9

SHA256
0cbb066f1ecffeec68f8d67bc4465f7710b077cc285896aed928503ff7dc1f74

SHA512
fb81fa22715d9ea794fcf024e829108996af3381db0881ba5d72992af2df55ddfd6246bb195db89e19bcf6fa005cee6d20c347b3bd876f8f5ee6aeed31a5ec58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\sessionstore-backups\recovery.baklz4
Filesize
33KB

MD5
363c9c42e6ac456a481048a715c8a778

SHA1
b5ef3530b092b0e96a2d827ea22b1c369af6a940

SHA256
79f7b35648659dbd15ba637ac01e4095afd22ce877e364c554e2b61f2c5d9b13

SHA512
79f8f8f7d810049275f714b3af4d72e83eb9050a4ca30720a1a0d034e92f5cbcd5fe9981ed98d995ea172fbe31fd2c59c4fa83b23442225239965d55f19f6093

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\sessionstore-backups\recovery.baklz4
Filesize
33KB

MD5
24578d7873f2bc57ecbb44966cac942d

SHA1
c4c5b402aead8631930d3c6ae04975c0ad261456

SHA256
7d0f4ba36eb064616125efe0e4731a9ed6dd8a67dc9be5c5ebdaa1ab85122166

SHA512
8cc6b58c158f022b45ae06644e6a742eac9fbce3f66c00b49a9c6741bc92736e00bfdd03733b4b91094633fc6d458feb98ff7988ea0078c4197b257f83dca9b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\sessionstore-backups\recovery.baklz4
Filesize
33KB

MD5
efec8e64083af8310cf68ece4e215b55

SHA1
1d0cca5eb5f3c46f902101b2d7ca25b2bf49efb6

SHA256
66bca1867c2091d5d87ff237bf1206a3f4971a2a904da01ed8a9fd087f0488b2

SHA512
08e09fa13fbc3306b0da38d2ae14ad25b9f03dfe7e3516f1e533465105cb3bfe4405824dcb917298e3be21340a77c8abf3d94136804c9416bcc8c21cbaaabd39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\sessionstore-backups\recovery.baklz4
Filesize
33KB

MD5
d4fb647183dcdcb3874fc81bbadac096

SHA1
a1617bf9086af6447ff95210fea3db39fe7f5ffe

SHA256
512e5a3a394c9e3a298ca9b267d48e52621fc050bf3ae7908cb5ece82f6a9e70

SHA512
8dce0c5e45411135fe2d99ed594397c5e82c96bc9d8fd541787c1dc6df345c1fdf931b11556d55a67beec61f2ea6ffdedc8661f79b59ca8de04c9c186bc46ce5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v4jvcrlg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
1.2MB

MD5
7b2fa180481739de6fa61abfda0f8adc

SHA1
f106bebbe0ef5f4a53117fafd60420f4afe600d0

SHA256
6922a681502fb389864260e6a5e6e586267151e1b0fd147eb880e43c4ec106f9

SHA512
5f28d6fd3819b352b0a9c3e7c19abffef79c5ea0bd014e8905a988435a78f1411df08979bbcba8b6cd8c0435ced01e157902712aecc5c4aa6cf426decdb59d1d

Download Submit
C:\Users\Admin\Downloads\VDeck Setup.w2Ia_J5f.exe.part
Filesize
47.5MB

MD5
2a63e2054769d84b26710bc65f378dbb

SHA1
8b8eed631cdce7d1b3784d8b27bcea3e1835f4a8

SHA256
c2a75fb224674bd4825034ecb647cb1d83f451bf5f3907e4465f7f73d97c6ad8

SHA512
e3e6a9d88ab303abd745e5be4bc64f3f0b07c62eac4e408657dbe81fa635ce9e2bea87716edd34fdb32590a21803e865b48740985038503b4e6ff248900e5be8

Download Submit
memory/1804-3875-0x000002289B030000-0x000002289B052000-memory.dmp

Filesize
136KB

Download
memory/1976-3936-0x00007FFBE0770000-0x00007FFBE0965000-memory.dmp

Filesize
2.0MB

Download
memory/1976-4005-0x0000000001100000-0x0000000001345000-memory.dmp

Filesize
2.3MB

Download
memory/1976-3982-0x0000000001100000-0x0000000001345000-memory.dmp

Filesize
2.3MB

Download
memory/1976-3940-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1976-3937-0x0000000001100000-0x0000000001345000-memory.dmp

Filesize
2.3MB

Download
memory/1976-3935-0x0000000001100000-0x0000000001345000-memory.dmp

Filesize
2.3MB

Download
memory/2216-3933-0x0000000074D00000-0x0000000074E7B000-memory.dmp

Filesize
1.5MB

Download
memory/2216-3932-0x00007FFBE0770000-0x00007FFBE0965000-memory.dmp

Filesize
2.0MB

Download
memory/3176-3928-0x0000000074D00000-0x0000000074E7B000-memory.dmp

Filesize
1.5MB

Download
memory/3176-3927-0x00007FFBE0770000-0x00007FFBE0965000-memory.dmp

Filesize
2.0MB

Download
memory/3176-3926-0x0000000074D00000-0x0000000074E7B000-memory.dmp

Filesize
1.5MB

Download
memory/3176-3925-0x0000000000B70000-0x0000000000C96000-memory.dmp

Filesize
1.1MB

Download