hijackloader | 1b7e4f1adc6780bc528758fd206329150a6c0d61be13b4d186de4b80ad604a03

Analysis

max time kernel
148s
max time network
141s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VDeck Setup.exe
Size

40.0MB
MD5

b9d8bed2a79c0b77af4640a28900d891
SHA1

01ca342cdb9e1ae97799771001eca8cface9afc6
SHA256

1b7e4f1adc6780bc528758fd206329150a6c0d61be13b4d186de4b80ad604a03
SHA512

e1465a42c83b0c71aa9d00343d8fe548dbf623802623ca9a20909bc16e1145ba1e6ba72b8ddb9e65c3aff4df22a2a0fb2fa474a494b23fbc15a641875eddb7f0
SSDEEP

786432:56pXKzUhllZSObZChkvj+FKVtv5cUxcppRQkvheVepVNn58lB45aBowl2v5M:5QKzOKhkKAVtCnppGV458lBsa6wk6

Score

10^/10

hijackloader stealc cloregod8 credential_access discovery evasion execution loader persistence spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

cloregod8

http://45.156.27.45

Attributes

url_path
/dc0de592dc0f725c.php

Signatures

Detects HijackLoader (aka IDAT Loader) 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2672-341-0x0000000000400000-0x00000000008AA000-memory.dmp	family_hijackloader
behavioral1/memory/2588-494-0x0000000000400000-0x0000000000549000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	rundll32.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow	pid	Process
22	2508	rundll32.exe
23	2508	rundll32.exe
33	2508	rundll32.exe
36	2508	rundll32.exe
38	2508	rundll32.exe
41	2508	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2480	powershell.exe
2896	powershell.exe
2592	powershell.exe
1336	powershell.exe
1776	powershell.exe

Downloads MZ/PE file

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

rundll32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\A3D90235\Parameters\ServiceDll = "C:\\ProgramData\\JKEGDHCFCA.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\A3D90235\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/files/0x000400000001cd60-277.dat	net_reactor

Executes dropped EXE 5 IoCs

Processes:

VDeck.exesnss1.exesnss2.exe5b431fd4.exe5b431fd4.exe

pid	Process
976	VDeck.exe
2672	snss1.exe
2588	snss2.exe
1260	5b431fd4.exe
2016	5b431fd4.exe

Loads dropped DLL 64 IoCs

Processes:

VDeck Setup.exeVDeck.exe

pid	Process
2372	VDeck Setup.exe
2372	VDeck Setup.exe
2372	VDeck Setup.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe
976	VDeck.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

Processes:

snss1.exesnss2.exe

description	pid	Process	procid_target
PID 2672 set thread context of 2752	2672	snss1.exe	35
PID 2588 set thread context of 1732	2588	snss2.exe	54

Drops file in Program Files directory 64 IoCs

Processes:

VDeck Setup.exepowershell.exe

description	ioc	Process
File created	C:\Program Files (x86)\VDeck\System.ComponentModel.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Security.Permissions.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Collections.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.IO.Packaging.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Security.AccessControl.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Threading.Channels.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Threading.Overlapped.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.IO.IsolatedStorage.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Runtime.InteropServices.RuntimeInformation.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\WindowsFormsIntegration.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\PresentationFramework.Aero.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Diagnostics.TraceSource.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\UIAutomationProvider.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\VDeck.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Design.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.IO.Compression.Brotli.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.IO.Pipes.AccessControl.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Runtime.Loader.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Security.Cryptography.Encoding.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Diagnostics.FileVersionInfo.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Diagnostics.TextWriterTraceListener.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Security.Cryptography.Algorithms.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Resources.ResourceManager.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Windows.Forms.Design.Editors.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Net.Requests.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\UIAutomationClientSideProviders.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Security.Principal.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Data.DataSetExtensions.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Diagnostics.Tools.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Linq.Expressions.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Reflection.Emit.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Runtime.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Drawing.Primitives.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.IO.Pipes.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.ObjectModel.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Windows.Extensions.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Formats.Tar.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Runtime.Serialization.Formatters.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Xml.XDocument.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\PresentationCore.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Globalization.Extensions.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.IO.UnmanagedMemoryStream.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Net.HttpListener.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Security.Cryptography.X509Certificates.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.ServiceModel.Web.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Text.Encoding.CodePages.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\clrgc.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\clrjit.dll	VDeck Setup.exe
File opened for modification	C:\Program Files (x86)\VDeck\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\VDeck\System.Collections.Immutable.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Linq.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Private.DataContractSerialization.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Core.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Globalization.Calendars.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Security.SecureString.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\Accessibility.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Text.Encoding.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Windows.Forms.Primitives.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\msquic.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Collections.Specialized.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Runtime.Serialization.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\mscordaccore_x86_x86_7.0.1423.51910.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Reflection.Metadata.dll	VDeck Setup.exe
File created	C:\Program Files (x86)\VDeck\System.Reflection.dll	VDeck Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exerundll32.exesnss2.exe5b431fd4.exeVDeck Setup.exepowershell.exesnss1.execmd.exe5b431fd4.exerundll32.exepowershell.exerundll32.exesvchost.exeexplorer.exeVDeck.exepowershell.exepowershell.exepowershell.exeexplorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b431fd4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VDeck Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b431fd4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VDeck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exeexplorer.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

VDeck.exerundll32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	VDeck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VDeck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8CBC50F9901F0F987F9CF644789B16818EE5AB30	VDeck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8CBC50F9901F0F987F9CF644789B16818EE5AB30\Blob = 1400000001000000140000001f4737e46d4fdb674b9cf5783002a61e06697a260300000001000000140000008cbc50f9901f0f987f9cf644789b16818ee5ab300f0000000100000020000000ff0e82313c671ab93766ae51edacddaaa48e2a22509ba5be2c914a2307b6346d2000000001000000320200003082022e30820197a003020102020824d83a0c749a63dc300d06092a864886f70d01010b0500304f3115301306035504030c0c495352472052656f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3232303831353035323133355a170d3236303831343035323133355a304f3115301306035504030c0c495352472052656f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100b0f189d125910c4a1ce67fe5f3d91577375247006c46f485f44bf4e0c4bf8232560316dae64591a0533624a2d7dec5d51c27d18563e9328bfd7523fa321ddac0329588c3eb3f92ddf29d064e4326ade3a075242ca2ddb52936ff30884b124f5b2a0fd83d101ae5dc9a22d143a63967abbb46fa8c2ad383a012202555f4a0f2830203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003818100099ccc8568f5bd3d4c9e7cdd3f4a60660646b235ad8c8a6586376b7004e856658b8f05ddb419ae7a8b07724c5b82f5f7567128e069b8241f945186e25071f6276f142f595219cd27028cacdf047097a7f8e7fdbd0457630105e09611ef980ef06f73d7246d9f7247261b8a2ca7d9d02d9e73e97d95cffad79fc757816aee1e15	VDeck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8CBC50F9901F0F987F9CF644789B16818EE5AB30\Blob = 190000000100000010000000ee4a9b04e1cd3a6f0da0a3002b4942850f0000000100000020000000ff0e82313c671ab93766ae51edacddaaa48e2a22509ba5be2c914a2307b6346d0300000001000000140000008cbc50f9901f0f987f9cf644789b16818ee5ab301400000001000000140000001f4737e46d4fdb674b9cf5783002a61e06697a262000000001000000320200003082022e30820197a003020102020824d83a0c749a63dc300d06092a864886f70d01010b0500304f3115301306035504030c0c495352472052656f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3232303831353035323133355a170d3236303831343035323133355a304f3115301306035504030c0c495352472052656f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100b0f189d125910c4a1ce67fe5f3d91577375247006c46f485f44bf4e0c4bf8232560316dae64591a0533624a2d7dec5d51c27d18563e9328bfd7523fa321ddac0329588c3eb3f92ddf29d064e4326ade3a075242ca2ddb52936ff30884b124f5b2a0fd83d101ae5dc9a22d143a63967abbb46fa8c2ad383a012202555f4a0f2830203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003818100099ccc8568f5bd3d4c9e7cdd3f4a60660646b235ad8c8a6586376b7004e856658b8f05ddb419ae7a8b07724c5b82f5f7567128e069b8241f945186e25071f6276f142f595219cd27028cacdf047097a7f8e7fdbd0457630105e09611ef980ef06f73d7246d9f7247261b8a2ca7d9d02d9e73e97d95cffad79fc757816aee1e15	VDeck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VDeck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VDeck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8CBC50F9901F0F987F9CF644789B16818EE5AB30	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8CBC50F9901F0F987F9CF644789B16818EE5AB30\Blob = 0300000001000000140000008cbc50f9901f0f987f9cf644789b16818ee5ab302000000001000000320200003082022e30820197a003020102020824d83a0c749a63dc300d06092a864886f70d01010b0500304f3115301306035504030c0c495352472052656f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3232303831353035323133355a170d3236303831343035323133355a304f3115301306035504030c0c495352472052656f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100b0f189d125910c4a1ce67fe5f3d91577375247006c46f485f44bf4e0c4bf8232560316dae64591a0533624a2d7dec5d51c27d18563e9328bfd7523fa321ddac0329588c3eb3f92ddf29d064e4326ade3a075242ca2ddb52936ff30884b124f5b2a0fd83d101ae5dc9a22d143a63967abbb46fa8c2ad383a012202555f4a0f2830203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003818100099ccc8568f5bd3d4c9e7cdd3f4a60660646b235ad8c8a6586376b7004e856658b8f05ddb419ae7a8b07724c5b82f5f7567128e069b8241f945186e25071f6276f142f595219cd27028cacdf047097a7f8e7fdbd0457630105e09611ef980ef06f73d7246d9f7247261b8a2ca7d9d02d9e73e97d95cffad79fc757816aee1e15	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8CBC50F9901F0F987F9CF644789B16818EE5AB30\Blob = 0f0000000100000020000000ff0e82313c671ab93766ae51edacddaaa48e2a22509ba5be2c914a2307b6346d0300000001000000140000008cbc50f9901f0f987f9cf644789b16818ee5ab302000000001000000320200003082022e30820197a003020102020824d83a0c749a63dc300d06092a864886f70d01010b0500304f3115301306035504030c0c495352472052656f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3232303831353035323133355a170d3236303831343035323133355a304f3115301306035504030c0c495352472052656f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100b0f189d125910c4a1ce67fe5f3d91577375247006c46f485f44bf4e0c4bf8232560316dae64591a0533624a2d7dec5d51c27d18563e9328bfd7523fa321ddac0329588c3eb3f92ddf29d064e4326ade3a075242ca2ddb52936ff30884b124f5b2a0fd83d101ae5dc9a22d143a63967abbb46fa8c2ad383a012202555f4a0f2830203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003818100099ccc8568f5bd3d4c9e7cdd3f4a60660646b235ad8c8a6586376b7004e856658b8f05ddb419ae7a8b07724c5b82f5f7567128e069b8241f945186e25071f6276f142f595219cd27028cacdf047097a7f8e7fdbd0457630105e09611ef980ef06f73d7246d9f7247261b8a2ca7d9d02d9e73e97d95cffad79fc757816aee1e15	VDeck.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

snss1.exepowershell.exepowershell.exepowershell.execmd.exeexplorer.exerundll32.exepowershell.exerundll32.exesnss2.exe

pid	Process
2672	snss1.exe
2672	snss1.exe
2896	powershell.exe
2592	powershell.exe
1336	powershell.exe
2752	cmd.exe
2752	cmd.exe
1772	explorer.exe
2508	rundll32.exe
1776	powershell.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2220	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2220	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2220	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2220	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2220	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2588	snss2.exe
2588	snss2.exe
2220	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2220	rundll32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

snss1.execmd.exesnss2.execmd.exe

pid	Process
2672	snss1.exe
2752	cmd.exe
2588	snss2.exe
1732	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

snss2.exe

pid	Process
2588	snss2.exe
2588	snss2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VDeck Setup.exeVDeck.exesnss1.execmd.exeexplorer.exesvchost.exerundll32.exerundll32.exesnss2.exe

description	pid	Process	procid_target
PID 2372 wrote to memory of 976	2372	VDeck Setup.exe	31
PID 2372 wrote to memory of 976	2372	VDeck Setup.exe	31
PID 2372 wrote to memory of 976	2372	VDeck Setup.exe	31
PID 2372 wrote to memory of 976	2372	VDeck Setup.exe	31
PID 976 wrote to memory of 2480	976	VDeck.exe	32
PID 976 wrote to memory of 2480	976	VDeck.exe	32
PID 976 wrote to memory of 2480	976	VDeck.exe	32
PID 976 wrote to memory of 2480	976	VDeck.exe	32
PID 976 wrote to memory of 2672	976	VDeck.exe	34
PID 976 wrote to memory of 2672	976	VDeck.exe	34
PID 976 wrote to memory of 2672	976	VDeck.exe	34
PID 976 wrote to memory of 2672	976	VDeck.exe	34
PID 2672 wrote to memory of 2752	2672	snss1.exe	35
PID 2672 wrote to memory of 2752	2672	snss1.exe	35
PID 2672 wrote to memory of 2752	2672	snss1.exe	35
PID 2672 wrote to memory of 2752	2672	snss1.exe	35
PID 976 wrote to memory of 2896	976	VDeck.exe	38
PID 976 wrote to memory of 2896	976	VDeck.exe	38
PID 976 wrote to memory of 2896	976	VDeck.exe	38
PID 976 wrote to memory of 2896	976	VDeck.exe	38
PID 976 wrote to memory of 2592	976	VDeck.exe	40
PID 976 wrote to memory of 2592	976	VDeck.exe	40
PID 976 wrote to memory of 2592	976	VDeck.exe	40
PID 976 wrote to memory of 2592	976	VDeck.exe	40
PID 976 wrote to memory of 1336	976	VDeck.exe	42
PID 976 wrote to memory of 1336	976	VDeck.exe	42
PID 976 wrote to memory of 1336	976	VDeck.exe	42
PID 976 wrote to memory of 1336	976	VDeck.exe	42
PID 2672 wrote to memory of 2752	2672	snss1.exe	35
PID 2752 wrote to memory of 1772	2752	cmd.exe	44
PID 2752 wrote to memory of 1772	2752	cmd.exe	44
PID 2752 wrote to memory of 1772	2752	cmd.exe	44
PID 2752 wrote to memory of 1772	2752	cmd.exe	44
PID 2752 wrote to memory of 1772	2752	cmd.exe	44
PID 1772 wrote to memory of 2508	1772	explorer.exe	46
PID 1772 wrote to memory of 2508	1772	explorer.exe	46
PID 1772 wrote to memory of 2508	1772	explorer.exe	46
PID 1772 wrote to memory of 2508	1772	explorer.exe	46
PID 1772 wrote to memory of 2508	1772	explorer.exe	46
PID 1772 wrote to memory of 2508	1772	explorer.exe	46
PID 1772 wrote to memory of 2508	1772	explorer.exe	46
PID 2032 wrote to memory of 2220	2032	svchost.exe	48
PID 2032 wrote to memory of 2220	2032	svchost.exe	48
PID 2032 wrote to memory of 2220	2032	svchost.exe	48
PID 2032 wrote to memory of 2220	2032	svchost.exe	48
PID 2032 wrote to memory of 2220	2032	svchost.exe	48
PID 2032 wrote to memory of 2220	2032	svchost.exe	48
PID 2032 wrote to memory of 2220	2032	svchost.exe	48
PID 2220 wrote to memory of 1580	2220	rundll32.exe	49
PID 2220 wrote to memory of 1580	2220	rundll32.exe	49
PID 2220 wrote to memory of 1580	2220	rundll32.exe	49
PID 2220 wrote to memory of 1580	2220	rundll32.exe	49
PID 2220 wrote to memory of 1580	2220	rundll32.exe	49
PID 2220 wrote to memory of 1580	2220	rundll32.exe	49
PID 2220 wrote to memory of 1580	2220	rundll32.exe	49
PID 2508 wrote to memory of 1776	2508	rundll32.exe	50
PID 2508 wrote to memory of 1776	2508	rundll32.exe	50
PID 2508 wrote to memory of 1776	2508	rundll32.exe	50
PID 2508 wrote to memory of 1776	2508	rundll32.exe	50
PID 976 wrote to memory of 2588	976	VDeck.exe	53
PID 976 wrote to memory of 2588	976	VDeck.exe	53
PID 976 wrote to memory of 2588	976	VDeck.exe	53
PID 976 wrote to memory of 2588	976	VDeck.exe	53
PID 2588 wrote to memory of 1732	2588	snss2.exe	54

C:\Users\Admin\AppData\Local\Temp\VDeck Setup.exe
"C:\Users\Admin\AppData\Local\Temp\VDeck Setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files (x86)\VDeck\VDeck.exe
  "C:\Program Files (x86)\VDeck\VDeck.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\f39f05a7-5cf6-479c-84bd-bf994f3ecfd0\snss1.exe
    "C:\Users\Admin\AppData\Local\Temp\f39f05a7-5cf6-479c-84bd-bf994f3ecfd0\snss1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\ProgramData\JKEGDHCFCA.dll" start
        6⤵
        Modifies visibility of file extensions in Explorer
        Blocklisted process makes network request
        Server Software Component: Terminal Services DLL
        Sets service image path in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\ProgramData\JKEGDHCFCA.dll
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\5b431fd4.exe
        
        C:\Users\Admin\AppData\Local\Temp\5b431fd4.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\Temp\{E71033CB-DDB7-4BB5-A5EA-B6AE0E5B731E}\.cr\5b431fd4.exe
        
        "C:\Windows\Temp\{E71033CB-DDB7-4BB5-A5EA-B6AE0E5B731E}\.cr\5b431fd4.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\5b431fd4.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2016
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Users\Admin\AppData\Local\Temp\f39f05a7-5cf6-479c-84bd-bf994f3ecfd0\snss2.exe
    "C:\Users\Admin\AppData\Local\Temp\f39f05a7-5cf6-479c-84bd-bf994f3ecfd0\snss2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:1732
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\programdata\jkegdhcfca.dll",start
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "c:\programdata\jkegdhcfca.dll",start
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VDeck\Microsoft.Win32.SystemEvents.dll

Filesize
94KB

MD5
2fe959460c69ac2293e0f6ebe52cb056

SHA1
210ee7a5cd8d45ee802f684b9bf34db4bb15c3da

SHA256
2d6e14471063861f8d9dade618df1cb7e71c3b418a4ed4a99e6b6f07d17354c1

SHA512
66ae69d234a9d0e87b0fc608e456c87258b60ccfca75a970e3c68007d593c78c3777529e7cce65a95b1bfe95593acdbf19cdf0b365cb9291d15736a332487020

Download Submit
C:\Program Files (x86)\VDeck\System.Collections.Specialized.dll

Filesize
94KB

MD5
27780df75669034593eaaedbad21cdab

SHA1
49861515166f0539f46cf01b48434f819cf920d2

SHA256
cbb75624d6777a004841dabf935b3587a890bd012cbba45ec5967e084bba1f45

SHA512
6064417534dd8c3fec2b11c2b412493b289af6d7d7f6366a0c764d49299324dddcf0bb7cc14a2b062f5fe26429b7632c261d1ab0d93decd1787b357ac208ed63

Download Submit
C:\Program Files (x86)\VDeck\System.ComponentModel.Primitives.dll

Filesize
74KB

MD5
6c7db5ad1c6e248ffad43b4d7e8e2c5a

SHA1
8c75c684831a9c7684fe675f1f23708895051e69

SHA256
9981c0f8985b8e0645498a48adfeb8d34954aba291c961cde1db08d7de4d1943

SHA512
569431f02c733948054bd7b6bf90b42f668791b129d819dfb423d6fdd82bad1f88b9a2b93e8c290271040c11d4a302c4d43597928052b97fbba8afede10e8c2d

Download Submit
C:\Program Files (x86)\VDeck\System.ComponentModel.dll

Filesize
30KB

MD5
db48b507a0835368b163abb4b568914a

SHA1
644f06f0a82536d593c87b1b77426c0f518aba55

SHA256
6e49732126f5cf3fefa8d09ffac8e7cea0c31903d71b78bd6d0a98f14b765e2b

SHA512
3f2b5ee42e6d441de3213190b2ebbc1eea9624c9d1f9833d2529fc2054b592e5088c28aee719963fadb8014971e8daafabe1aa5597e05dbccfb38324710dcf62

Download Submit
C:\Program Files (x86)\VDeck\System.Diagnostics.FileVersionInfo.dll

Filesize
46KB

MD5
ce9aae102f0798a546285bb183fc3ac5

SHA1
154c9e9f90b2032f0562e9cbca8176c51b790e13

SHA256
ff2f414912e4abc7e3dc9e059357ed34a4073c5d169857b7b8cc709c535ed7ea

SHA512
4e57e06c32db9a463d1ad55d433181ec550f26f92bd0cea6990121c6b434f1b315e499ee4e4933f0d5f4c41ca7be68b53b7249dcd4b85a0dd899d504f11236e4

Download Submit
C:\Program Files (x86)\VDeck\System.Diagnostics.StackTrace.dll

Filesize
46KB

MD5
f4a1c31045f50c149692c0174efdcfcd

SHA1
c0adcbc7703d3e0248dc280618096b7485783812

SHA256
b477e753c74914dd979c18652cd954c3a10b5393b27ebb0641ceb0841082b538

SHA512
ab16156874e332a98446c0c4b287724b7da28b7cb4e8de359a95cca4b3744c75c71ec929f8239695082d66afd2d2f13d7bad077fe65335c2013415e1239f0ab8

Download Submit
C:\Program Files (x86)\VDeck\System.Diagnostics.TraceSource.dll

Filesize
130KB

MD5
823dc83d1941a6d0980ddd3fc206afde

SHA1
aaaaede06866b984d5fa4f891408b345bcdcb655

SHA256
095b98401940e0115a42faa71970fbad77faafc0b8c7b1d31efa4cc98e517366

SHA512
5d243f67e2617bc1d0ff9415a217a6b5c48b99025db8aa4aa63f392d68bff9d3feacd676cd497d4b21e585019721910fab6d61e3e4f874085f18b7310d25230f

Download Submit
C:\Program Files (x86)\VDeck\System.Drawing.Common.dll

Filesize
1.3MB

MD5
1a16a5af18f36eff5525cbba9182a59f

SHA1
f769192970efae75e6f4614d8da44e7ff6cebde4

SHA256
d1de2f83e34fb6b3f9f2ff28e290e935f72b40c8053d0b36515cb9ea5a6eac6b

SHA512
1329a2f6476f7b6410d40ed9c027a569d3144e56b4ae1483888d761c6ac8d4d765285fa0d08ce9b885c14b1636652b1197c1a59c6f114f1f5121f58c47520611

Download Submit
C:\Program Files (x86)\VDeck\System.Drawing.Primitives.dll

Filesize
126KB

MD5
f7418b3c7cb9684ce513aba65a7a1cd6

SHA1
b7490f8f9ba250f05907001769e1769d9db4bdc6

SHA256
4f5bf9840718fa043fc355e5b8c0d9760d8d3e3de8a8fce1532729e0c9c18a59

SHA512
202d150a84654a7d27b2aacdefda9b4f37037de692510c29e45d2c18410a7579e2a42bd0836797ade09c29bba8afbbc7b82e30e09ab74f191b079e2d30cb11c0

Download Submit
C:\Program Files (x86)\VDeck\System.Memory.dll

Filesize
150KB

MD5
99d539480ec14a1e0d67ce4c5794bc56

SHA1
edc8ce78de84b674ad45c22d78e0c66c0705e8d6

SHA256
62875296f322fee08716745f143ce63315416cc80f91c795562c6373fa5f7904

SHA512
ab4a26b3f3568451b62e6e76cdb68b80032f4ce0aff74ec0addbe549624655a6cd002671d7186b1a2ae3de8af4ae4457f9e67eb3eb6bd0fb89d54a6d28018103

Download Submit
C:\Program Files (x86)\VDeck\System.Numerics.Vectors.dll

Filesize
15KB

MD5
e694117068a885e95cc872d799800d43

SHA1
7950be260c871e95ede419def3138008c6c09be5

SHA256
1440a4abf195c2f6da3420b2f497a3e4f8d67aaeede553f3ac171a15e7460fdf

SHA512
52fc5f7d692d6f43364a67d8173c99ddca35e62ffb42b8474042198b4fd06f35839ccf2884fc2faa9b570f71c1ab892c43aa5ec71f3904dc1e10a03e462ce155

Download Submit
C:\Program Files (x86)\VDeck\System.Private.CoreLib.dll

Filesize
10.5MB

MD5
703470f5af7984cec05b0956562a0ba6

SHA1
8dcff4d0039c45bffa52c339d9d257ff3fdf8bb1

SHA256
aa28b8b56cafd31d582bd6b0b404037a1547a99381c9fcb424c905a027e7f816

SHA512
01255321d318d6f084a70e93727fee89ed907fcdd092fead0f7e37608667ac9517a5840b88326736402f25f0cb63f727bb941e76713c6b3b4931bdf09f9d7943

Download Submit
C:\Program Files (x86)\VDeck\System.Windows.Forms.Primitives.dll

Filesize
854KB

MD5
6c5b510dc2fdf6779845a59fa3b48332

SHA1
97015b0060e16bf743c562c068e17c3f5f45424d

SHA256
9147b18cdb9ac48cd18b9f162ea716924b9d7086de658e7f6e7edde5dd0b759e

SHA512
f30ab62668517f77450d9c632bf7d88e9ec3c5f86fc084cd83a73d78a2647a6d5f4fc45b9a90b1a4c5f71f4e9916affc24e52aaa20a6c549aaacf1cad2aa5843

Download Submit
C:\Program Files (x86)\VDeck\System.Windows.Forms.dll

Filesize
12.0MB

MD5
7e4a3a306549e552c39dcee2a64980eb

SHA1
033fd1471f6f52266885ffa2aebd0ce8bd8cbb01

SHA256
5854cd77d7a345abdc6887bd323f724f9857a4bbdd8fae14927432452185e4aa

SHA512
b22bdcc6e8cbc97d163063a1f026376aa69891fbb388b94a5c505a212fded8cae5f68d1b7d145f4308537310b6a9ef3e9366c81e8c53d93a59fc9089a588a090

Download Submit
C:\Program Files (x86)\VDeck\mscorrc.dll

Filesize
134KB

MD5
0d2a223a107f12fcd61cc18d194b798e

SHA1
ed1e72b7a1ff30bc92108f1caefb9a6f4dc69571

SHA256
d1790d27a9dcdb77889feeb2de1476f85bf570e1ad5dae475824be4e58a8001a

SHA512
08dd4c795aaddf999ebff00a4154e6f46526236feeda833d0ecfe72e32c2392b992ae382af8f13022dd2c9e63ad43cd10acad31415755e5ab42b94c7458a523a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabACB5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar46E1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I1K0TWBMF292OMQRGD3H.temp

Filesize
7KB

MD5
428d1a313832f804e9d8e1f7501d585a

SHA1
99a31f90f5c004391f6de314e695c1bd7c18f22d

SHA256
335b79ffc611ef13f7550a6edb5bf087c08df5c00fb91d7301d196c505698fc9

SHA512
a8457e3a67d3981928e0551ab389be1fdeb4a8156264cc6aee3df7f581b6b3e6d620ed9be7effd3a757006eca114cb6f32c424f5ce541768f7298dcb278e9b5f

Download Submit
C:\Windows\Temp\{E71033CB-DDB7-4BB5-A5EA-B6AE0E5B731E}\.cr\5b431fd4.exe

Filesize
10.0MB

MD5
63cc62c2919814377cb76b09b9b98334

SHA1
d1b48d089dd49252310d832d2f45029c622d6c89

SHA256
81c686666e1a6267a79f79305d820d904e7c920bd8801ba2f7603711e5d1b541

SHA512
9d250b7abe490dd4312098d910b28fa9db378c23e17c29b15300e6aaed242f87e23e9147888fb2351339fe85b9c1aed90620485814443bb3d211e530c4b6f568

Download Submit
\Program Files (x86)\VDeck\Accessibility.dll

Filesize
20KB

MD5
1108e5d3a2cafd9db92c9452a51285f5

SHA1
9234ce1451b19fa54147959462c09c1529c2bfc1

SHA256
287ec11eebf07c3afed228c37d8facb801c39a2c3b766467a5f0b5e025fcbc8c

SHA512
8e325012a1526591b8b0a3739d5b5de86db7155bd232a2ffbc87906e7a38739823457e7ff65cb059618483074d3d209f74f07b0a954ccc6dc44bb0b3cc19a4a8

Download Submit
\Program Files (x86)\VDeck\Microsoft.Win32.Primitives.dll

Filesize
15KB

MD5
6ff21be9dff1b9e2025857b8192ebcc9

SHA1
0e2df43cae5af31242c5783fe29d4edc593299ef

SHA256
ccd090a705d50f165c2d56a52a99770921c1c94d46edbf623522fc254431a0df

SHA512
68feb0f1f0f0df9d85ab77197d88df2ef3075f9c73c215c2c771bfaa568b54f344695265124383b716f30467c59ecc6c398c0808c3a33973af810f53405341d5

Download Submit
\Program Files (x86)\VDeck\System.Collections.dll

Filesize
242KB

MD5
173349731283556cb5b90df81e672408

SHA1
2895736d031db5d14e5701cf472adf65008a8a3e

SHA256
1d4fce31efc887b5ff1d657dacc580d5872f84aa44075b72c1650b79c915850f

SHA512
a48d15ea087dc50f3b279405ff02ec23ac4c9fd2398e820ab695e3cb49948fd1a52bfb9be4789c6ad9b4a36c74c8b083871a451f6be2b398f1756d8478f95731

Download Submit
\Program Files (x86)\VDeck\System.ComponentModel.EventBasedAsync.dll

Filesize
46KB

MD5
abae99678d25a7d0647d7d2526abd129

SHA1
d52de400a57dd67cdf47b5783c436ba9c6085401

SHA256
02faa9fa5c06a386061fbd9cd8c15b08befd860ea168de29e0d7b143cc4a0e7b

SHA512
57d4f5f7c78a4e42100201a9e67a8ebebf0613bfd278bb4575bc398e33bed65b52cd9e7cada037718a2d7f14704c812eb6b95b941d26e6857e1c2a3198b81fd3

Download Submit
\Program Files (x86)\VDeck\System.ComponentModel.TypeConverter.dll

Filesize
678KB

MD5
eb35951257866d01036bae55555b27ce

SHA1
93cb7f9ff6362d9a0d33c0407991615c12c7645d

SHA256
380133891be6227c3e0000bf4dda4bb42bac146e7150a2e7df29d62e2d2c45dc

SHA512
077a3424593835b14698f00449f998d4797bbea11332491ea5052bab9da9ceefa839364ab96f20afa8a0dd2deba1104ffb620ff975ac0f98d982b59a67887da5

Download Submit
\Program Files (x86)\VDeck\System.Runtime.InteropServices.dll

Filesize
58KB

MD5
8213b2f3164c59c5e1e0bf612a46ebcb

SHA1
e8fb601cbf890679cac24e3062619b8f64e9aaec

SHA256
95fd5c753ffdfad8842a50c8b0c349c6068d9b347fa59d0292cdab7c9970f6a2

SHA512
20386f634f356008cdf590260110a93e1fbf51421758137b448ccfa9bb6d249c69f06b50acad2a6461a134a6cd4757ec3f082c2fae32f2ec4099eae079446307

Download Submit
\Program Files (x86)\VDeck\System.Runtime.dll

Filesize
42KB

MD5
ee8e0221ee0590926b6569b3815f3293

SHA1
0577f115da1412f5099c5d60e725249a7565c924

SHA256
5f9507e814238e79bf75376ffe1fdfbbd56eba29cc8b85d4e4ec16088a8cbf1f

SHA512
7bbe07267a0f4dc848ecfa380172bed172dde4815950a72f1dc614aa21941f6aceaf83db91a7b77b543c2ab6a79d955fe968426f80eb3b5623d6bab0db100343

Download Submit
\Program Files (x86)\VDeck\System.Security.Cryptography.Csp.dll

Filesize
16KB

MD5
2e359ff07ba236c88a6a8e81b825d3f7

SHA1
3dc19f84d0204e91233a2b24f2bc3378d7d5a2d3

SHA256
1e88894f662fbb1bb253040af013506f47dd8553b7fc084429f2932687fec4f9

SHA512
79bfec1e2bcbe74de015d39f0046b00bca6f804770bc01890745ca28b2c1798e500982b7c815dd6f7a97fafb31e2fba6b8795ded185fa3b9ee703b97ff4496dc

Download Submit
\Program Files (x86)\VDeck\System.Security.Cryptography.dll

Filesize
1.7MB

MD5
e6934487dcf51cd95158116a0858c7d8

SHA1
11bc4374fa75b88ceffb595e61b2139889f40ae7

SHA256
947c0b8e2af80c3ccf1dec8af9505fd63584ff51325e5c2c3ed8acb6c9fdce93

SHA512
09dfb2b257c191916b5d49f173a3fc918c6f687cd1650f851330b8e1d23f87cec124076394bbbadc7822150e24feb7cc53ea8bc650e1e0863212e93589d7b0e6

Download Submit
\Program Files (x86)\VDeck\System.Threading.Thread.dll

Filesize
15KB

MD5
465535454819c47ee2bcedc138757635

SHA1
3861082f3126a6501750f8bd558fc1339e9ca64b

SHA256
b512ff7d18af59a3318f1ee50bdc0bb1746fe5d7e30305574f943dca8735550c

SHA512
84844361f8c7c7133d9cf0444c1239a0c399aff2f70ba4fe3e57523103a71bf0a14b58f591602e4b07abd582016813a449f36b33cdef1bfaa2e63943651ceaa8

Download Submit
\Program Files (x86)\VDeck\System.Threading.dll

Filesize
82KB

MD5
4f8137ab657980350ae2a64b1caddfe5

SHA1
6616b0bcb018a704b59d131ae57021490d8b4d5d

SHA256
010df04cfa05e7b0078d9d87b581bb4a35478dd4ef13cd92df501e2c0081b0b2

SHA512
88e2464299022f21defd35e6866f802a7b22addc022751296759fbd3c602f7e8c74c98a3aef4ceee516e07087ddf4bb8f3f360581f3778c48e4b4fbb26967654

Download Submit
\Program Files (x86)\VDeck\VDeck.dll

Filesize
743KB

MD5
31b9574ebf8c8efd29806acbb9c447b4

SHA1
eeb8cbc6e703a89faae99c183e86b0b7fc0b0d23

SHA256
b6b1796208c2da0defadd173c98a27b00765fb92fdf68d9d0a8e030f946e8cdf

SHA512
6150ce2e9d3c19ad333f7048922d2be582af3e2c2a8eb7f3860f9500054f7e8154ba3a0abf2594575156e3d055fd8f4f17e2eda82d7d54ab77165ececd86f3f9

Download Submit
\Program Files (x86)\VDeck\VDeck.exe

Filesize
312KB

MD5
0e31549309575302498d301b35f42503

SHA1
38235c07ec5691eec84afbb6fcd0af16669e71fa

SHA256
9da2346f159d6658201874fc09d73d82672b16ffca8b1ccca0bed9465469958d

SHA512
4a4a75f0f6c7e04ed5192a0b23af52ae5246f0b20c1ae20827bd30b05d0d35d66579c67d7905bf8b8e6c238aa1d85d1568f69a15c8c73004d169b949f695261b

Download Submit
\Program Files (x86)\VDeck\clrjit.dll

Filesize
1.3MB

MD5
83ab25913ef9a1e914f3f748cef17fa5

SHA1
66597c20e11fc17ea5956b90694bacade749c467

SHA256
353e2e5e7d97ab6290965b134e514d1cb0870fd1dc0bfa63f38d2ef3661006e5

SHA512
060270c8a4f1dfb55adb7b5e3e2a8f17ad55d71253c70ec29e3721debe701b99a63158a2c07bd869697e63560af952bbefe90655df38f08d1cb22619ac065867

Download Submit
\Program Files (x86)\VDeck\coreclr.dll

Filesize
4.1MB

MD5
b407845906ce64d98ecac61f60e3c5f3

SHA1
254fbfe838dec3d21c53884ea28acfca3c14cdec

SHA256
a418a6bea8d326407daaae85090062173777cf2c290e63a18b135fb7ca3cdc2a

SHA512
ae2fb33f2f190acb6e7c3092bdafffc8f3cbd7d138aafe0ef93cf45065e79818253e582634907dd5c2c49ed76ae37cb15920e9226dcafec458f56c94c054122d

Download Submit
\Program Files (x86)\VDeck\hostfxr.dll

Filesize
310KB

MD5
2fe7967af37ec79c209149b6e6ec53df

SHA1
a8b2185d4343e6ebdd68a0eb57077d55caaee602

SHA256
096775d54fabaae498d248d158b421c93acc0d0544fec65f4909277dd6d773e6

SHA512
95118db065a68858e514aa89ff472dcb61caa22fd31f9c3e57fdaf8b32db66318e447ca58b02c763344116c39f509546949bb849e127aa58b4ae403a46c84cce

Download Submit
\Program Files (x86)\VDeck\hostpolicy.dll

Filesize
325KB

MD5
00fb04d9c85005669cb7ac6c22eec57a

SHA1
90ee7ebe86b2a00f92a35c6f63d577bf758b6d2e

SHA256
a3884e6d596c3cf658db6f525629f275296bc3cdcbd28d03e7fd103118ad8ec1

SHA512
a151d20d3d8ebcc8edcfe81536d28bc95726c2415ea2092084444a04cd808d92d197b79fbc3d01d14026ac112e2e55496c424cebfd02c4150ab05644962b09a6

Download Submit
\Users\Admin\AppData\Local\Temp\nso10C.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
\Users\Admin\AppData\Local\Temp\nso10C.tmp\nsDialogs.dll

Filesize
9KB

MD5
1d8f01a83ddd259bc339902c1d33c8f1

SHA1
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

SHA256
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

SHA512
28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

Download Submit
memory/1580-481-0x0000000002300000-0x000000000275B000-memory.dmp

Filesize
4.4MB

Download
memory/1772-377-0x0000000000580000-0x00000000007C5000-memory.dmp

Filesize
2.3MB

Download
memory/1772-378-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/1772-379-0x0000000000580000-0x00000000007C5000-memory.dmp

Filesize
2.3MB

Download
memory/1772-382-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1772-414-0x0000000000580000-0x00000000007C5000-memory.dmp

Filesize
2.3MB

Download
memory/1772-453-0x0000000000580000-0x00000000007C5000-memory.dmp

Filesize
2.3MB

Download
memory/2032-468-0x0000000002600000-0x0000000002A5B000-memory.dmp

Filesize
4.4MB

Download
memory/2032-467-0x0000000002600000-0x0000000002A5B000-memory.dmp

Filesize
4.4MB

Download
memory/2220-474-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2220-473-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2220-491-0x0000000002300000-0x000000000275B000-memory.dmp

Filesize
4.4MB

Download
memory/2480-330-0x0000000070A20000-0x0000000070C98000-memory.dmp

Filesize
2.5MB

Download
memory/2508-464-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-480-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-457-0x000000006E600000-0x000000006E69D000-memory.dmp

Filesize
628KB

Download
memory/2508-458-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-462-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-460-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-459-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-463-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-465-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-455-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-466-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-454-0x0000000002300000-0x000000000275B000-memory.dmp

Filesize
4.4MB

Download
memory/2508-490-0x0000000002300000-0x000000000275B000-memory.dmp

Filesize
4.4MB

Download
memory/2508-489-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-488-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-456-0x0000000063280000-0x00000000634BE000-memory.dmp

Filesize
2.2MB

Download
memory/2508-487-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-479-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2508-486-0x0000000002E40000-0x00000000034C9000-memory.dmp

Filesize
6.5MB

Download
memory/2532-539-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2532-546-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2588-494-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2588-495-0x0000000070140000-0x00000000702B4000-memory.dmp

Filesize
1.5MB

Download
memory/2588-496-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/2672-343-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/2672-372-0x0000000070A20000-0x0000000070B94000-memory.dmp

Filesize
1.5MB

Download
memory/2672-342-0x0000000070A20000-0x0000000070B94000-memory.dmp

Filesize
1.5MB

Download
memory/2672-341-0x0000000000400000-0x00000000008AA000-memory.dmp

Filesize
4.7MB

Download
memory/2752-374-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/2752-375-0x0000000070A20000-0x0000000070B94000-memory.dmp

Filesize
1.5MB

Download