hijackloader | 8aad43ed10153b766f0c7077748cbabf4bfe98b62ca6fe1ad6a5a0840f4b7bb2

Resubmissions

04-09-2024 06:03

240904-gsefaavhkk 7

04-08-2024 02:00

240804-ce8dzsxdnf 10

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04-08-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VDeck Setup.exe
Size

42.9MB
MD5

aa53626f27f7c2d0428d81f5f3ec02ac
SHA1

52dac85b5d3e0491bb05c7dd6d88842409b4e0ff
SHA256

8aad43ed10153b766f0c7077748cbabf4bfe98b62ca6fe1ad6a5a0840f4b7bb2
SHA512

46b57df175879e4879da462cd25fdd8c6e4be800cc9cdae22b6a5452b0755418c69629c793324e1dd799d02972f23065591552e02401499a43bef376ab7c4fd8
SSDEEP

786432:NKiex8/gquJ58B+PEy+Si2csY2rBWHTFvtlVCJd69mVPo7FmzYV5zy397k8/2mEt:NVy8/gN5WNlSuKKjlVCn69mVT85mBz/Y

Score

10^/10

hijackloader stealc vor2 credential_access discovery loader spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

vor2

http://45.152.112.103

Attributes

url_path
/1cf3aa1810feeb67.php

Signatures

Detects HijackLoader (aka IDAT Loader) 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1552-735-0x0000000000400000-0x0000000000566000-memory.dmp	family_hijackloader
behavioral1/memory/1172-822-0x0000000000400000-0x0000000000BFC000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
\Program Files (x86)\VDeck\VDeck.dll	net_reactor

Executes dropped EXE 3 IoCs

Processes:

VDeck.exesnss1.exesnss2.exe

pid process

2604 VDeck.exe
1552 snss1.exe
1172 snss2.exe

pid	process
2604	VDeck.exe
1552	snss1.exe
1172	snss2.exe

Loads dropped DLL 64 IoCs

Processes:

VDeck Setup.exeVDeck.exe

pid	process
1380	VDeck Setup.exe
1380	VDeck Setup.exe
1380	VDeck Setup.exe
1380	VDeck Setup.exe
1380	VDeck Setup.exe
1380	VDeck Setup.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe
2604	VDeck.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 2 IoCs

Processes:

snss1.exesnss2.exe

description pid process target process

PID 1552 set thread context of 644 1552 snss1.exe cmd.exe
PID 1172 set thread context of 1284 1172 snss2.exe cmd.exe

description	pid	process	target process
PID 1552 set thread context of 644	1552	snss1.exe	cmd.exe
PID 1172 set thread context of 1284	1172	snss2.exe	cmd.exe

Drops file in Program Files directory 64 IoCs

Processes:

VDeck Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\VDeck\System.Xml.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\clretwrc.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\fr\System.Xaml.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.ComponentModel.EventBasedAsync.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\it\System.Windows.Forms.Primitives.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\zh-Hans\System.Windows.Forms.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Security.Cryptography.Cng.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Threading.AccessControl.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\clrgc.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\it\UIAutomationClientSideProviders.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Windows.Forms.Primitives.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\ja\PresentationCore.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\pl\PresentationCore.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.IO.FileSystem.AccessControl.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.ObjectModel.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\Microsoft.VisualBasic.Forms.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Collections.Concurrent.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\hostfxr.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Private.CoreLib.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\msquic.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\es\UIAutomationClient.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\zh-Hant\UIAutomationClientSideProviders.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Security.Cryptography.ProtectedData.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Windows.Controls.Ribbon.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\UIAutomationClient.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\UIAutomationTypes.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\fr\PresentationFramework.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\pl\UIAutomationClientSideProviders.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\PresentationNative_cor3.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Diagnostics.DiagnosticSource.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Text.Encoding.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\tr\UIAutomationProvider.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Resources.Reader.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Runtime.Intrinsics.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\fr\System.Windows.Forms.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\pl\ReachFramework.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\pt-BR\System.Windows.Forms.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\Microsoft.Win32.SystemEvents.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Private.DataContractSerialization.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\VDeck.exe	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\zh-Hant\UIAutomationClient.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Console.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.DirectoryServices.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\mscordaccore_x86_x86_8.0.23.53103.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\ko\System.Xaml.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\zh-Hans\WindowsFormsIntegration.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Threading.Channels.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Threading.Tasks.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Diagnostics.Tracing.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Windows.Input.Manipulations.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\pl\Microsoft.VisualBasic.Forms.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Net.Sockets.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\ko\UIAutomationProvider.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\DirectWriteForwarder.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Runtime.Serialization.Formatters.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\fr\WindowsBase.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.IO.Compression.FileSystem.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\it\UIAutomationTypes.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\ru\UIAutomationClientSideProviders.resources.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Design.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Xml.Linq.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\hostpolicy.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\pl\UIAutomationClient.resources.dll	VDeck Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

VDeck.exesnss1.execmd.exeexplorer.exesnss2.execmd.exeVDeck Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VDeck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VDeck Setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

VDeck.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VDeck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VDeck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	VDeck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VDeck.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

snss1.execmd.exeexplorer.exesnss2.exe

pid process

1552 snss1.exe
1552 snss1.exe
644 cmd.exe
644 cmd.exe
2912 explorer.exe
1172 snss2.exe
1172 snss2.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

snss1.execmd.exesnss2.exe

pid process

1552 snss1.exe
644 cmd.exe
1172 snss2.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

snss2.exe

pid process

1172 snss2.exe

pid	process
1552	snss1.exe
1552	snss1.exe
644	cmd.exe
644	cmd.exe
2912	explorer.exe
1172	snss2.exe
1172	snss2.exe

pid	process
1552	snss1.exe
644	cmd.exe
1172	snss2.exe

pid	process
1172	snss2.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

VDeck Setup.exeVDeck.exesnss1.execmd.exesnss2.exe

description	pid	process	target process
PID 1380 wrote to memory of 2604	1380	VDeck Setup.exe	VDeck.exe
PID 1380 wrote to memory of 2604	1380	VDeck Setup.exe	VDeck.exe
PID 1380 wrote to memory of 2604	1380	VDeck Setup.exe	VDeck.exe
PID 1380 wrote to memory of 2604	1380	VDeck Setup.exe	VDeck.exe
PID 2604 wrote to memory of 1552	2604	VDeck.exe	snss1.exe
PID 2604 wrote to memory of 1552	2604	VDeck.exe	snss1.exe
PID 2604 wrote to memory of 1552	2604	VDeck.exe	snss1.exe
PID 2604 wrote to memory of 1552	2604	VDeck.exe	snss1.exe
PID 2604 wrote to memory of 1552	2604	VDeck.exe	snss1.exe
PID 2604 wrote to memory of 1552	2604	VDeck.exe	snss1.exe
PID 2604 wrote to memory of 1552	2604	VDeck.exe	snss1.exe
PID 1552 wrote to memory of 644	1552	snss1.exe	cmd.exe
PID 1552 wrote to memory of 644	1552	snss1.exe	cmd.exe
PID 1552 wrote to memory of 644	1552	snss1.exe	cmd.exe
PID 1552 wrote to memory of 644	1552	snss1.exe	cmd.exe
PID 1552 wrote to memory of 644	1552	snss1.exe	cmd.exe
PID 644 wrote to memory of 2912	644	cmd.exe	explorer.exe
PID 644 wrote to memory of 2912	644	cmd.exe	explorer.exe
PID 644 wrote to memory of 2912	644	cmd.exe	explorer.exe
PID 644 wrote to memory of 2912	644	cmd.exe	explorer.exe
PID 644 wrote to memory of 2912	644	cmd.exe	explorer.exe
PID 2604 wrote to memory of 1172	2604	VDeck.exe	snss2.exe
PID 2604 wrote to memory of 1172	2604	VDeck.exe	snss2.exe
PID 2604 wrote to memory of 1172	2604	VDeck.exe	snss2.exe
PID 2604 wrote to memory of 1172	2604	VDeck.exe	snss2.exe
PID 1172 wrote to memory of 1284	1172	snss2.exe	cmd.exe
PID 1172 wrote to memory of 1284	1172	snss2.exe	cmd.exe
PID 1172 wrote to memory of 1284	1172	snss2.exe	cmd.exe
PID 1172 wrote to memory of 1284	1172	snss2.exe	cmd.exe
PID 1172 wrote to memory of 1284	1172	snss2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\VDeck Setup.exe
"C:\Users\Admin\AppData\Local\Temp\VDeck Setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380

C:\Program Files (x86)\VDeck\VDeck.exe
"C:\Program Files (x86)\VDeck\VDeck.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\661faf09-36ba-4228-b763-03d39395bb7e\snss1.exe
"C:\Users\Admin\AppData\Local\Temp\661faf09-36ba-4228-b763-03d39395bb7e\snss1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2912

C:\Users\Admin\AppData\Local\Temp\661faf09-36ba-4228-b763-03d39395bb7e\snss2.exe
"C:\Users\Admin\AppData\Local\Temp\661faf09-36ba-4228-b763-03d39395bb7e\snss2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
4⤵
- System Location Discovery: System Language Discovery
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VDeck\System.Runtime.InteropServices.dll

Filesize
86KB

MD5
bbed39118d0fb818c4cfe583e76832b6

SHA1
576058cc3003af3a30654e640db5978863b65393

SHA256
81c16f06b76f9c47d53610c884397cb2d93ea975ec042970cbcd1ae2ff31735d

SHA512
230387d18249cdc6efb65a67509d17def5a4c81b6de008805fe72b5daca3653c90fe6b2c0d7810f036472144b92454f5a784dbd63b956921712ee3167736aec1

Download Submit
C:\Program Files (x86)\VDeck\System.Security.Cryptography.dll

Filesize
1.7MB

MD5
8903578453b0b54962f8db611c0f59f9

SHA1
8472232be661ec1922ae550805b448a9ed9c3d72

SHA256
fc76d70d439b43b747ef2ba15134dfd8d1703499398830778dedfeb58736d876

SHA512
a1436d787332eee1c666a4f8d8cddf903319648ba6be43689d1a2c0d3c25a9587d0f34939ea686883bb20e1d73a3dc85ff2c8e0c644cb0535d0809a131ca7125

Download Submit
C:\Program Files (x86)\VDeck\VDeck.exe

Filesize
289KB

MD5
1ffd8066011d15e46c033fdc7c5bd16d

SHA1
ed4ed53aab7ba5f6288942584df4cb85be18003e

SHA256
507c6afeba30106b391d0304d354254a90404a4ba62d867c09b69044be841de5

SHA512
adec4f6416c39602acc635dd0e0f683e176df371e7210405dd89c3563e95aede96d21efcc62edd02ce13351e4dc11137552958d4603cf5a2a7d977069146c273

Download Submit
C:\Program Files (x86)\VDeck\mscorrc.dll

Filesize
133KB

MD5
757067060d31716069439d1c60b7f844

SHA1
67eca443322593797737d542f4b138d9521461c3

SHA256
5d8f35867f8c5a21d9708c4f3e77b926bdcdf4a1d46be81550c55f1239e12878

SHA512
40d1ba29154d1e6f15889895dbd80ed3509b14ce199a72cd7f5a5083976d0a3393e406eda37dd4d89778cbae563020fe6da5082ed10b97e89926a3be34126299

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD29D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9455.tmp\ioSpecial.ini

Filesize
1KB

MD5
826eae9c9edf1d05a29cf68280408c5a

SHA1
5dba95659ff000464ea0bab4d8e94197744d30f3

SHA256
e11a5ee660cc66398537c25f813100a886c615cd123210ae69976cab61825b37

SHA512
9cc56fa48799e5aa827680de886eada2716a0a0b9019583f78c2f28f59a75bdbc3800ed2e98cf1714cf7d2ab6c1ec8ba5a647d740550eccd6f426447c4ce03d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9455.tmp\ioSpecial.ini

Filesize
1KB

MD5
3a8c46c080b668b8dd7c2d916cd678dc

SHA1
b525b2b82220194c7e5dd1d352f40d83ebe0eb7e

SHA256
5272311660e46f2605940e967dea1d668d26ea808117b25b663b7303721586e0

SHA512
7d1f710dfd655b96041217556f50a6fb546a9f79bfe06ea7d00c65ee5e9bfd93d7493a2812fdfc9ebf7761b935d7cd97e53d232fa7c153effa5d575a9e99c725

Download Submit
\Program Files (x86)\VDeck\Microsoft.Win32.Primitives.dll

Filesize
15KB

MD5
300c95ff95b52e8a02fec6bfcfa58225

SHA1
b646f89fcd463ad5c19889b4fea40540568b780c

SHA256
f1b40565e5c4c41da810aee5b7d2272a0906e88f796812435aa5ed712bcac40c

SHA512
9bfe0eb6eea98b2d35aa42986a273ec82424143965e173b32bb4b7e5537580a027940a6952a45fc54f0b665e871deb2a95651106c2f24c7de3b3d3cd2dec7e89

Download Submit
\Program Files (x86)\VDeck\System.Collections.Concurrent.dll

Filesize
246KB

MD5
0f849ea0f9408fdaf999ee8443f9ae02

SHA1
be76d857dbda71afd167912bb148ae8406b11490

SHA256
5d37561e4b1e8139fa8d83ab5d382643fc72a288cddc2e2ec580c637fe857c42

SHA512
3cc7fee424947c2f4b521ad05c718c52f88c6b4152762b4ee256598fba2b823152f90b705c41b0acbae124a8db576ed435e75cdb8440093085d135c433e6a3f6

Download Submit
\Program Files (x86)\VDeck\System.Collections.Specialized.dll

Filesize
90KB

MD5
e1f43907949d5d831324d06445a7e5fe

SHA1
eef81e1aa9ddbe797585bab6e011e0e7be8d8992

SHA256
e399a9419c7d94046fe6f3d7b88224666496b160d1cc2f942a1477061c233f97

SHA512
6aa89e289780dde21c1626a6fbbe838118f81463a43ff5ea2196bf1a53d115fe61316ab3da5e119c88115cfddf9fd11a22aaa688d73a318066b015b3aee4984e

Download Submit
\Program Files (x86)\VDeck\System.Collections.dll

Filesize
234KB

MD5
1a70954d51a08dffcb4256ad3c978ee6

SHA1
5a29053dcbd0d5599a27580f61e2e71aa54666fc

SHA256
7aab49f1efcf2db52912eae149937184b1b7e0e8c9953258d8fed5ff58b7a828

SHA512
d05d862353be02816085fda4b43d47c2a03af482ad5242e352c4dd5d291ef6a414faa71f430f0294d2c334ebc994e392e21553490f4d55c0383fe9f015981646

Download Submit
\Program Files (x86)\VDeck\System.ComponentModel.Primitives.dll

Filesize
74KB

MD5
158fdbf63c6374da304beb31a524565b

SHA1
644aa4a08565057d0cf541ec40a0059f019fd56e

SHA256
017fefedaa96d8aea524053cb887f8432b8e5e2500366c10c78978db60d5e87f

SHA512
53f020a93f6924a4b97a1e1f3036494df8d599a724ad7e7e8c46a25ed54b5cc33e0cd4682a90006e392c064e542e1f683c15b8f07cc6d26232ed676a3e080dea

Download Submit
\Program Files (x86)\VDeck\System.Diagnostics.TraceSource.dll

Filesize
126KB

MD5
bdea2bf4ae4d11a6cdb14b96f108ddf1

SHA1
90282ec0c1deb29e2adbe4390925007341136dee

SHA256
c5972b470d97e492dd1b1e126a5807b9ed64012f2d858cc17a5e8d604b3277d9

SHA512
15595d3f5f686b58caea08d76e34f581024dda1a74e959c2caea407b3d39e3988a617d6a9ea0184ea8b0f8caa79ba11745b211368d957b689542961575800616

Download Submit
\Program Files (x86)\VDeck\System.Drawing.Common.dll

Filesize
1.3MB

MD5
32e951b1a27f1269ec64a66b1fe81965

SHA1
7b54cce3c5b6611c436ef1169c871449a8263fe2

SHA256
01b1d64a1f11788155cc977fd39a64e043e5a09331113b6a3466e55dfe5aecfb

SHA512
3713adce1c489f2d2ac8935f0489744f6dfb12ccdb616eb0df656940c6f1dfc60be2af13bf4596df03b3d7bbc0b714aef9f5efb4358a57984543685b60415f45

Download Submit
\Program Files (x86)\VDeck\System.Drawing.Primitives.dll

Filesize
126KB

MD5
153b0a87313d2d08e66c7df74005d41e

SHA1
171afa42580c83459028a8ea4536db3ad55d4751

SHA256
bfa47355b7048e91f0a5886bc49bff1a7c48b930883f01078981511fa226c515

SHA512
eb0196db1adfec0e315b18a5ceef460fd37f2d2ffc2123119926eb0cf78c9fcc31d4d99da208eac4118a18633178cc89b155a21e13e3e0ebbcee43efef763618

Download Submit
\Program Files (x86)\VDeck\System.IO.FileSystem.dll

Filesize
15KB

MD5
35e27f4c681085a4b096826ee8ea4f53

SHA1
cf3ea4304e5558c8fdd4422e4d72509cd91ea719

SHA256
7bd41c6b12b73e6e90476f2d56db8581664abe07e7ab9bf2917bb254ed1d75ad

SHA512
1f9e6519ff29524e57cb0b3576ab118014293aade8f30027ef44b1f29a8e9a54e7bcb3b288a92dba996053b16016807d93fa9f44f2c43666ddc6425ddd7ae4b9

Download Submit
\Program Files (x86)\VDeck\System.Memory.dll

Filesize
142KB

MD5
38baaab0c6b7954f5e10ec726f900bab

SHA1
c96fdc8e192bc0830e7e90e3f0c604ac3d8018a2

SHA256
95983565ff4d3a9a90870c9279e3b047aaef00350c0f88a05704e7623110e5a4

SHA512
68749fdf1d7a090cd974e9a571d3625e62f5a91904df1279220c4fdad665bf94659b72b0448b23019c3f9101dc793f7f1efeed49c430404a0e6e4db6998ef992

Download Submit
\Program Files (x86)\VDeck\System.Private.CoreLib.dll

Filesize
12.0MB

MD5
ffbb715d8ddf1f50aceaec01830c6b62

SHA1
7797e33b410c08b71402d19d34cae0eb27ffc783

SHA256
08f5bf904290c6a251f0b685b2a625982aeb1cee9b4388cf4a6639b4101da599

SHA512
d9ad6f3eb4336fbe17ef783fd58cf412483a6eb19d4a190d2d682fb32b5912d7e32249c5614b98f9fd1190f0a91386b65d6cce6463132320f41c709bdfcf6e25

Download Submit
\Program Files (x86)\VDeck\System.Private.Xml.Linq.dll

Filesize
358KB

MD5
4f2a07bfac64a0ccd44dc4bff3c2c1d9

SHA1
bb83173f90581e2b834485286a69d6de3736b6c5

SHA256
9a7574bda3747cb1bb0a7897b01b83f0844e4eee68e5cf62c5adb4d747560a37

SHA512
e61db3fa1ce20c968bf3e9cbc2eb5a8ca079fda2a2dabfb3f620a3f7f239be9a8c8885f707aaa9b41460e707adb63cc830bcf8fc7392b3501cf39cef5e260477

Download Submit
\Program Files (x86)\VDeck\System.Private.Xml.dll

Filesize
7.1MB

MD5
f272d38a8fe09920da2aecd1b2daa743

SHA1
24013eae19f22f445b849db3b28b6b4698f9067c

SHA256
52df59be36a0cf35b26ec2b504386cbb88a4804107d700e9e12b6d5caf4c7fc0

SHA512
bc979a847caadb683a84948742e84054fcaa3cf78abb5e1f3e65b09d50cfa13dc26a90b814e6e89cb72a112dac1b034eb23319cd39d9da6edd5f418e94d49190

Download Submit
\Program Files (x86)\VDeck\System.Runtime.dll

Filesize
42KB

MD5
53501b2f33c210123a1a08a977d16b25

SHA1
354e358d7cf2a655e80c4e4a645733c3db0e7e4d

SHA256
1fc86ada2ec543a85b8a06a9470a7b5aaa91eb03cfe497a32cd52a1e043ea100

SHA512
9ef3b47ddd275de9dfb5ded34a69a74af2689ebcb34911f0e4ffef9e2faf409e2395c7730bce364b5668b2b3b3e05a7b5998586563fb15e22c223859b2e77796

Download Submit
\Program Files (x86)\VDeck\System.Security.Cryptography.Algorithms.dll

Filesize
17KB

MD5
8f3b379221c31a9c5a39e31e136d0fda

SHA1
e57e8efe5609b27e8c180a04a16fbe1a82f5557d

SHA256
c99c6b384655e1af4ae5161fe9d54d95828ae17b18b884b0a99258f1c45aa388

SHA512
377f4e611a7cf2d5035f4622c590572031a476dd111598168acea1844aaa425c0fe012c763fbc16290c7b32c6c7df7b2563c88227e3dbc5d2bd02250c9d368d9

Download Submit
\Program Files (x86)\VDeck\System.Security.Cryptography.Csp.dll

Filesize
15KB

MD5
c7f55dbc6f5090194c5907054779e982

SHA1
efa17e697b8cfd607c728608a3926eda7cd88238

SHA256
16bc1f72938d96deca5ce031a29a43552385674c83f07e4f91d387f5f01b8d0a

SHA512
ae0164273b04afdec2257ae30126a8b44d80ee52725009cc917d28d09fcfb19dfbbb3a817423e98af36f773015768fed9964331d992ad1830f6797b854c0c355

Download Submit
\Program Files (x86)\VDeck\System.Security.Cryptography.Primitives.dll

Filesize
15KB

MD5
777ac34f9d89c6e4753b7a7b3be4ca29

SHA1
27e4bd1bfd7c9d9b0b19f3d6008582b44c156443

SHA256
6703e8d35df4b6389f43df88cc35fc3b3823fb3a7f04e5eb540b0af39f5fa622

SHA512
a791fa27b37c67ace72956680c662eb68f053fa8c8f4205f6ed78ecb2748d27d9010a8de94669d0ee33a8fca885380f8e6cfad9f475b07f60d34cdcb02d57439

Download Submit
\Program Files (x86)\VDeck\System.Threading.Thread.dll

Filesize
15KB

MD5
72d839e793c4f3200d4c5a6d4aa28d20

SHA1
fbc25dd97b031a6faddd7e33bc500719e8eead19

SHA256
84c9a95609878542f00fe7da658f62d1a6943a43e6346af80d26bcff069a4dbd

SHA512
a414cd9d7cf6a04709f3bdbef0295349b845a8301171ed6394e97b9993f35816383b958736c814f91c359a783cca86ee04802856486d4b4e0ab90a45da39db1d

Download Submit
\Program Files (x86)\VDeck\System.Threading.dll

Filesize
78KB

MD5
6052426c5bca2a85cf643b67f2d427d5

SHA1
0d8d654e361e7a738205fb18b47635661696cad3

SHA256
805d22cd608633508dc74cfe1941c46df4f7150cf53e7bf07d9ca99761c64d03

SHA512
2204c5a11b18687fde815ec88e5f7ce34c0572f80645f4bca8a572ed50b50411b6eeb8a0ac25e49fdd32ba97326e7aab5617f83f2a54f64dcbe2f64380cbfe10

Download Submit
\Program Files (x86)\VDeck\System.Windows.Forms.Primitives.dll

Filesize
2.6MB

MD5
d13f42b37b1bd87b1c01764d0cefa60e

SHA1
add9a4ccafb46c2ddf3f4128acf53d890b20e422

SHA256
6f8f12f680528db2af7ac46acda8f361dde3715ece345cf02b35a51db76a0752

SHA512
f6414ad66da3c6da3a0475f4c050746ef2fa1b6240f4ef2b0582e59acdb75b3d0189c8ce5b423423f32558821a331d7be70555f4f9e3e82e71175e7aacfc2fd7

Download Submit
\Program Files (x86)\VDeck\System.Windows.Forms.dll

Filesize
12.2MB

MD5
31fe7c80a7b253d0bb297fad937ebb32

SHA1
1addcf55e1ac796e086b25b03c1a61709dd754d1

SHA256
cea0f47c1d5737d454646c4ea89ff4c5430f21ffc84e44f9eb1996ca9b0e83c4

SHA512
352d3ba22d6479224b7bc96e09474478b0dbd9cfbe9dce3efbd3897ac29f4532a6acd4d5642f8d9f96f3a322676499efac0d4b1c6b50512d742ebce92c988766

Download Submit
\Program Files (x86)\VDeck\VDeck.dll

Filesize
707KB

MD5
a171e22080164d7d67e75ce0e48029d4

SHA1
eaef3f5fe04c5d69af1c7cd1a46e109499e80008

SHA256
8235088f8685df121dccfcf1ffcc6bd9a7eb9728bb1cfb4d86479f5363aa8dff

SHA512
26bede3ebfc39846d08f620cbff6f3ec93c1cb94c07804a2665576bb4a30b79973eddec07cd7bfcdf4781b8c2b604f3c0c142522d458b6605bfd5f99945cfef4

Download Submit
\Program Files (x86)\VDeck\clrjit.dll

Filesize
1.5MB

MD5
30f426cc5f54a918c9e72a20413b4853

SHA1
d3c8ed69652cf84e246aa946d99cd93d0f83b547

SHA256
7b2ac32ef1931e8ace2611522a727eda5bf7703356a137f2bec29af9a17f66fd

SHA512
efca28baa3b150d7c28e954391252c628ae703daba715d2ca3393b6fe337f861acdd8fcfdfa2d974eddd53c48f16bb546a41ae83ad005b8d54896d52acd4b16f

Download Submit
\Program Files (x86)\VDeck\coreclr.dll

Filesize
4.0MB

MD5
8e9dfff41edfdc5f1b312390b7c3ee00

SHA1
1e7751697de8731594c3dcdb1a64cd0bc36b73d6

SHA256
3d922f86ae7361b77d76840ea7e13444960dabe96e76ce0ce3742f98ebdb9e60

SHA512
287817da8df0301656978b98129d0e7833c7f6dd49bc4e661efcdc201744cb4fa7cbcef2d6fe384074dacb083a2196b522655bf806c5ce42e59a9f8579149d38

Download Submit
\Program Files (x86)\VDeck\hostfxr.dll

Filesize
286KB

MD5
9a7150ea9b6f4841edd6b67bb36ee68e

SHA1
14a9b59defef035d73be3e0d36eb231a18e44228

SHA256
0a0b8871ab1ff0b8b3d6a33bd830c36efac5447422a05cb42597650579351148

SHA512
69e0fd818fdb228bbfad59f979746ba20d2a1063f810aaee02088374b7d9c7bc6c89c6433639bcbcacd47ee81b3c40b575c377b958d8748885186a07577cd265

Download Submit
\Program Files (x86)\VDeck\hostpolicy.dll

Filesize
326KB

MD5
6e311781b44dc42bb9d032faf049a49a

SHA1
04bd8b1f0ec632db34a632c79a1805de93088dac

SHA256
a0fae8cd9409038ee4f7a58f54f65847c96d33bf76e690e5430e975320b05a08

SHA512
4c723176695e573269c4406deb421e05c41e31cab8f6329a40d26914c3ead960952e98558b418b294fb1e41d45863e4ca01074f8716dcbd8563c18d5e9a1b5e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9455.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9455.tmp\LangDLL.dll

Filesize
5KB

MD5
50016010fb0d8db2bc4cd258ceb43be5

SHA1
44ba95ee12e69da72478cf358c93533a9c7a01dc

SHA256
32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

SHA512
ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9455.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
memory/644-759-0x0000000070EF0000-0x0000000071064000-memory.dmp

Filesize
1.5MB

Download
memory/644-757-0x00000000779A0000-0x0000000077B49000-memory.dmp

Filesize
1.7MB

Download
memory/1172-822-0x0000000000400000-0x0000000000BFC000-memory.dmp

Filesize
8.0MB

Download
memory/1172-825-0x0000000070830000-0x00000000709A4000-memory.dmp

Filesize
1.5MB

Download
memory/1172-824-0x00000000779A0000-0x0000000077B49000-memory.dmp

Filesize
1.7MB

Download
memory/1172-823-0x0000000070830000-0x00000000709A4000-memory.dmp

Filesize
1.5MB

Download
memory/1552-736-0x0000000070EF0000-0x0000000071064000-memory.dmp

Filesize
1.5MB

Download
memory/1552-737-0x00000000779A0000-0x0000000077B49000-memory.dmp

Filesize
1.7MB

Download
memory/1552-734-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1552-754-0x0000000070EF0000-0x0000000071064000-memory.dmp

Filesize
1.5MB

Download
memory/1552-735-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/2912-761-0x00000000005A0000-0x00000000007E5000-memory.dmp

Filesize
2.3MB

Download
memory/2912-819-0x00000000005A0000-0x00000000007E5000-memory.dmp

Filesize
2.3MB

Download
memory/2912-767-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2912-766-0x00000000005A0000-0x00000000007E5000-memory.dmp

Filesize
2.3MB

Download
memory/2912-763-0x00000000005A0000-0x00000000007E5000-memory.dmp

Filesize
2.3MB

Download
memory/2912-762-0x00000000779A0000-0x0000000077B49000-memory.dmp

Filesize
1.7MB

Download