Overview

overview

10

Static

static

7

VDeck Setup.exe

windows7-x64

10

VDeck Setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2024 05:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VDeck Setup.exe

  • Size

    40.0MB

  • MD5

    b9d8bed2a79c0b77af4640a28900d891

  • SHA1

    01ca342cdb9e1ae97799771001eca8cface9afc6

  • SHA256

    1b7e4f1adc6780bc528758fd206329150a6c0d61be13b4d186de4b80ad604a03

  • SHA512

    e1465a42c83b0c71aa9d00343d8fe548dbf623802623ca9a20909bc16e1145ba1e6ba72b8ddb9e65c3aff4df22a2a0fb2fa474a494b23fbc15a641875eddb7f0

  • SSDEEP

    786432:56pXKzUhllZSObZChkvj+FKVtv5cUxcppRQkvheVepVNn58lB45aBowl2v5M:5QKzOKhkKAVtCnppGV458lBsa6wk6

Score
10/10
hijackloaderrhadamanthysdiscoveryexecutionloaderstealer

Malware Config

Signatures

  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

    loaderhijackloader
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 64 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:2672
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3200
    • C:\Users\Admin\AppData\Local\Temp\VDeck Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\VDeck Setup.exe"
      1⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Program Files (x86)\VDeck\VDeck.exe
        "C:\Program Files (x86)\VDeck\VDeck.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4356
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5036
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3012
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3548
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2944
        • C:\Users\Admin\AppData\Local\Temp\ec80dc4d-8660-4ca8-abaa-90312ee276bf\snss2.exe
          "C:\Users\Admin\AppData\Local\Temp\ec80dc4d-8660-4ca8-abaa-90312ee276bf\snss2.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5044
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1196
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              5⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1824

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\VDeck\Accessibility.dll
      Filesize

      20KB

      MD5

      1108e5d3a2cafd9db92c9452a51285f5

      SHA1

      9234ce1451b19fa54147959462c09c1529c2bfc1

      SHA256

      287ec11eebf07c3afed228c37d8facb801c39a2c3b766467a5f0b5e025fcbc8c

      SHA512

      8e325012a1526591b8b0a3739d5b5de86db7155bd232a2ffbc87906e7a38739823457e7ff65cb059618483074d3d209f74f07b0a954ccc6dc44bb0b3cc19a4a8

      Download Submit

    • C:\Program Files (x86)\VDeck\Microsoft.Win32.Primitives.dll
      Filesize

      15KB

      MD5

      6ff21be9dff1b9e2025857b8192ebcc9

      SHA1

      0e2df43cae5af31242c5783fe29d4edc593299ef

      SHA256

      ccd090a705d50f165c2d56a52a99770921c1c94d46edbf623522fc254431a0df

      SHA512

      68feb0f1f0f0df9d85ab77197d88df2ef3075f9c73c215c2c771bfaa568b54f344695265124383b716f30467c59ecc6c398c0808c3a33973af810f53405341d5

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Collections.Specialized.dll
      Filesize

      94KB

      MD5

      27780df75669034593eaaedbad21cdab

      SHA1

      49861515166f0539f46cf01b48434f819cf920d2

      SHA256

      cbb75624d6777a004841dabf935b3587a890bd012cbba45ec5967e084bba1f45

      SHA512

      6064417534dd8c3fec2b11c2b412493b289af6d7d7f6366a0c764d49299324dddcf0bb7cc14a2b062f5fe26429b7632c261d1ab0d93decd1787b357ac208ed63

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Collections.dll
      Filesize

      242KB

      MD5

      173349731283556cb5b90df81e672408

      SHA1

      2895736d031db5d14e5701cf472adf65008a8a3e

      SHA256

      1d4fce31efc887b5ff1d657dacc580d5872f84aa44075b72c1650b79c915850f

      SHA512

      a48d15ea087dc50f3b279405ff02ec23ac4c9fd2398e820ab695e3cb49948fd1a52bfb9be4789c6ad9b4a36c74c8b083871a451f6be2b398f1756d8478f95731

      Download Submit

    • C:\Program Files (x86)\VDeck\System.ComponentModel.EventBasedAsync.dll
      Filesize

      46KB

      MD5

      abae99678d25a7d0647d7d2526abd129

      SHA1

      d52de400a57dd67cdf47b5783c436ba9c6085401

      SHA256

      02faa9fa5c06a386061fbd9cd8c15b08befd860ea168de29e0d7b143cc4a0e7b

      SHA512

      57d4f5f7c78a4e42100201a9e67a8ebebf0613bfd278bb4575bc398e33bed65b52cd9e7cada037718a2d7f14704c812eb6b95b941d26e6857e1c2a3198b81fd3

      Download Submit

    • C:\Program Files (x86)\VDeck\System.ComponentModel.Primitives.dll
      Filesize

      74KB

      MD5

      6c7db5ad1c6e248ffad43b4d7e8e2c5a

      SHA1

      8c75c684831a9c7684fe675f1f23708895051e69

      SHA256

      9981c0f8985b8e0645498a48adfeb8d34954aba291c961cde1db08d7de4d1943

      SHA512

      569431f02c733948054bd7b6bf90b42f668791b129d819dfb423d6fdd82bad1f88b9a2b93e8c290271040c11d4a302c4d43597928052b97fbba8afede10e8c2d

      Download Submit

    • C:\Program Files (x86)\VDeck\System.ComponentModel.TypeConverter.dll
      Filesize

      678KB

      MD5

      eb35951257866d01036bae55555b27ce

      SHA1

      93cb7f9ff6362d9a0d33c0407991615c12c7645d

      SHA256

      380133891be6227c3e0000bf4dda4bb42bac146e7150a2e7df29d62e2d2c45dc

      SHA512

      077a3424593835b14698f00449f998d4797bbea11332491ea5052bab9da9ceefa839364ab96f20afa8a0dd2deba1104ffb620ff975ac0f98d982b59a67887da5

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Diagnostics.FileVersionInfo.dll
      Filesize

      46KB

      MD5

      ce9aae102f0798a546285bb183fc3ac5

      SHA1

      154c9e9f90b2032f0562e9cbca8176c51b790e13

      SHA256

      ff2f414912e4abc7e3dc9e059357ed34a4073c5d169857b7b8cc709c535ed7ea

      SHA512

      4e57e06c32db9a463d1ad55d433181ec550f26f92bd0cea6990121c6b434f1b315e499ee4e4933f0d5f4c41ca7be68b53b7249dcd4b85a0dd899d504f11236e4

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Diagnostics.TraceSource.dll
      Filesize

      130KB

      MD5

      823dc83d1941a6d0980ddd3fc206afde

      SHA1

      aaaaede06866b984d5fa4f891408b345bcdcb655

      SHA256

      095b98401940e0115a42faa71970fbad77faafc0b8c7b1d31efa4cc98e517366

      SHA512

      5d243f67e2617bc1d0ff9415a217a6b5c48b99025db8aa4aa63f392d68bff9d3feacd676cd497d4b21e585019721910fab6d61e3e4f874085f18b7310d25230f

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Drawing.Common.dll
      Filesize

      1.3MB

      MD5

      1a16a5af18f36eff5525cbba9182a59f

      SHA1

      f769192970efae75e6f4614d8da44e7ff6cebde4

      SHA256

      d1de2f83e34fb6b3f9f2ff28e290e935f72b40c8053d0b36515cb9ea5a6eac6b

      SHA512

      1329a2f6476f7b6410d40ed9c027a569d3144e56b4ae1483888d761c6ac8d4d765285fa0d08ce9b885c14b1636652b1197c1a59c6f114f1f5121f58c47520611

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Drawing.Primitives.dll
      Filesize

      126KB

      MD5

      f7418b3c7cb9684ce513aba65a7a1cd6

      SHA1

      b7490f8f9ba250f05907001769e1769d9db4bdc6

      SHA256

      4f5bf9840718fa043fc355e5b8c0d9760d8d3e3de8a8fce1532729e0c9c18a59

      SHA512

      202d150a84654a7d27b2aacdefda9b4f37037de692510c29e45d2c18410a7579e2a42bd0836797ade09c29bba8afbbc7b82e30e09ab74f191b079e2d30cb11c0

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Memory.dll
      Filesize

      150KB

      MD5

      99d539480ec14a1e0d67ce4c5794bc56

      SHA1

      edc8ce78de84b674ad45c22d78e0c66c0705e8d6

      SHA256

      62875296f322fee08716745f143ce63315416cc80f91c795562c6373fa5f7904

      SHA512

      ab4a26b3f3568451b62e6e76cdb68b80032f4ce0aff74ec0addbe549624655a6cd002671d7186b1a2ae3de8af4ae4457f9e67eb3eb6bd0fb89d54a6d28018103

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Numerics.Vectors.dll
      Filesize

      15KB

      MD5

      e694117068a885e95cc872d799800d43

      SHA1

      7950be260c871e95ede419def3138008c6c09be5

      SHA256

      1440a4abf195c2f6da3420b2f497a3e4f8d67aaeede553f3ac171a15e7460fdf

      SHA512

      52fc5f7d692d6f43364a67d8173c99ddca35e62ffb42b8474042198b4fd06f35839ccf2884fc2faa9b570f71c1ab892c43aa5ec71f3904dc1e10a03e462ce155

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Private.CoreLib.dll
      Filesize

      10.5MB

      MD5

      703470f5af7984cec05b0956562a0ba6

      SHA1

      8dcff4d0039c45bffa52c339d9d257ff3fdf8bb1

      SHA256

      aa28b8b56cafd31d582bd6b0b404037a1547a99381c9fcb424c905a027e7f816

      SHA512

      01255321d318d6f084a70e93727fee89ed907fcdd092fead0f7e37608667ac9517a5840b88326736402f25f0cb63f727bb941e76713c6b3b4931bdf09f9d7943

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Runtime.InteropServices.dll
      Filesize

      58KB

      MD5

      8213b2f3164c59c5e1e0bf612a46ebcb

      SHA1

      e8fb601cbf890679cac24e3062619b8f64e9aaec

      SHA256

      95fd5c753ffdfad8842a50c8b0c349c6068d9b347fa59d0292cdab7c9970f6a2

      SHA512

      20386f634f356008cdf590260110a93e1fbf51421758137b448ccfa9bb6d249c69f06b50acad2a6461a134a6cd4757ec3f082c2fae32f2ec4099eae079446307

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Runtime.dll
      Filesize

      42KB

      MD5

      ee8e0221ee0590926b6569b3815f3293

      SHA1

      0577f115da1412f5099c5d60e725249a7565c924

      SHA256

      5f9507e814238e79bf75376ffe1fdfbbd56eba29cc8b85d4e4ec16088a8cbf1f

      SHA512

      7bbe07267a0f4dc848ecfa380172bed172dde4815950a72f1dc614aa21941f6aceaf83db91a7b77b543c2ab6a79d955fe968426f80eb3b5623d6bab0db100343

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Security.Cryptography.Csp.dll
      Filesize

      16KB

      MD5

      2e359ff07ba236c88a6a8e81b825d3f7

      SHA1

      3dc19f84d0204e91233a2b24f2bc3378d7d5a2d3

      SHA256

      1e88894f662fbb1bb253040af013506f47dd8553b7fc084429f2932687fec4f9

      SHA512

      79bfec1e2bcbe74de015d39f0046b00bca6f804770bc01890745ca28b2c1798e500982b7c815dd6f7a97fafb31e2fba6b8795ded185fa3b9ee703b97ff4496dc

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Security.Cryptography.dll
      Filesize

      1.7MB

      MD5

      e6934487dcf51cd95158116a0858c7d8

      SHA1

      11bc4374fa75b88ceffb595e61b2139889f40ae7

      SHA256

      947c0b8e2af80c3ccf1dec8af9505fd63584ff51325e5c2c3ed8acb6c9fdce93

      SHA512

      09dfb2b257c191916b5d49f173a3fc918c6f687cd1650f851330b8e1d23f87cec124076394bbbadc7822150e24feb7cc53ea8bc650e1e0863212e93589d7b0e6

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Threading.Thread.dll
      Filesize

      15KB

      MD5

      465535454819c47ee2bcedc138757635

      SHA1

      3861082f3126a6501750f8bd558fc1339e9ca64b

      SHA256

      b512ff7d18af59a3318f1ee50bdc0bb1746fe5d7e30305574f943dca8735550c

      SHA512

      84844361f8c7c7133d9cf0444c1239a0c399aff2f70ba4fe3e57523103a71bf0a14b58f591602e4b07abd582016813a449f36b33cdef1bfaa2e63943651ceaa8

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Threading.dll
      Filesize

      82KB

      MD5

      4f8137ab657980350ae2a64b1caddfe5

      SHA1

      6616b0bcb018a704b59d131ae57021490d8b4d5d

      SHA256

      010df04cfa05e7b0078d9d87b581bb4a35478dd4ef13cd92df501e2c0081b0b2

      SHA512

      88e2464299022f21defd35e6866f802a7b22addc022751296759fbd3c602f7e8c74c98a3aef4ceee516e07087ddf4bb8f3f360581f3778c48e4b4fbb26967654

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Windows.Forms.Primitives.dll
      Filesize

      854KB

      MD5

      6c5b510dc2fdf6779845a59fa3b48332

      SHA1

      97015b0060e16bf743c562c068e17c3f5f45424d

      SHA256

      9147b18cdb9ac48cd18b9f162ea716924b9d7086de658e7f6e7edde5dd0b759e

      SHA512

      f30ab62668517f77450d9c632bf7d88e9ec3c5f86fc084cd83a73d78a2647a6d5f4fc45b9a90b1a4c5f71f4e9916affc24e52aaa20a6c549aaacf1cad2aa5843

      Download Submit

    • C:\Program Files (x86)\VDeck\System.Windows.Forms.dll
      Filesize

      12.0MB

      MD5

      7e4a3a306549e552c39dcee2a64980eb

      SHA1

      033fd1471f6f52266885ffa2aebd0ce8bd8cbb01

      SHA256

      5854cd77d7a345abdc6887bd323f724f9857a4bbdd8fae14927432452185e4aa

      SHA512

      b22bdcc6e8cbc97d163063a1f026376aa69891fbb388b94a5c505a212fded8cae5f68d1b7d145f4308537310b6a9ef3e9366c81e8c53d93a59fc9089a588a090

      Download Submit

    • C:\Program Files (x86)\VDeck\VDeck.dll
      Filesize

      743KB

      MD5

      31b9574ebf8c8efd29806acbb9c447b4

      SHA1

      eeb8cbc6e703a89faae99c183e86b0b7fc0b0d23

      SHA256

      b6b1796208c2da0defadd173c98a27b00765fb92fdf68d9d0a8e030f946e8cdf

      SHA512

      6150ce2e9d3c19ad333f7048922d2be582af3e2c2a8eb7f3860f9500054f7e8154ba3a0abf2594575156e3d055fd8f4f17e2eda82d7d54ab77165ececd86f3f9

      Download Submit

    • C:\Program Files (x86)\VDeck\VDeck.exe
      Filesize

      312KB

      MD5

      0e31549309575302498d301b35f42503

      SHA1

      38235c07ec5691eec84afbb6fcd0af16669e71fa

      SHA256

      9da2346f159d6658201874fc09d73d82672b16ffca8b1ccca0bed9465469958d

      SHA512

      4a4a75f0f6c7e04ed5192a0b23af52ae5246f0b20c1ae20827bd30b05d0d35d66579c67d7905bf8b8e6c238aa1d85d1568f69a15c8c73004d169b949f695261b

      Download Submit

    • C:\Program Files (x86)\VDeck\clrjit.dll
      Filesize

      1.3MB

      MD5

      83ab25913ef9a1e914f3f748cef17fa5

      SHA1

      66597c20e11fc17ea5956b90694bacade749c467

      SHA256

      353e2e5e7d97ab6290965b134e514d1cb0870fd1dc0bfa63f38d2ef3661006e5

      SHA512

      060270c8a4f1dfb55adb7b5e3e2a8f17ad55d71253c70ec29e3721debe701b99a63158a2c07bd869697e63560af952bbefe90655df38f08d1cb22619ac065867

      Download Submit

    • C:\Program Files (x86)\VDeck\coreclr.dll
      Filesize

      4.1MB

      MD5

      b407845906ce64d98ecac61f60e3c5f3

      SHA1

      254fbfe838dec3d21c53884ea28acfca3c14cdec

      SHA256

      a418a6bea8d326407daaae85090062173777cf2c290e63a18b135fb7ca3cdc2a

      SHA512

      ae2fb33f2f190acb6e7c3092bdafffc8f3cbd7d138aafe0ef93cf45065e79818253e582634907dd5c2c49ed76ae37cb15920e9226dcafec458f56c94c054122d

      Download Submit

    • C:\Program Files (x86)\VDeck\hostfxr.dll
      Filesize

      310KB

      MD5

      2fe7967af37ec79c209149b6e6ec53df

      SHA1

      a8b2185d4343e6ebdd68a0eb57077d55caaee602

      SHA256

      096775d54fabaae498d248d158b421c93acc0d0544fec65f4909277dd6d773e6

      SHA512

      95118db065a68858e514aa89ff472dcb61caa22fd31f9c3e57fdaf8b32db66318e447ca58b02c763344116c39f509546949bb849e127aa58b4ae403a46c84cce

      Download Submit

    • C:\Program Files (x86)\VDeck\hostpolicy.dll
      Filesize

      325KB

      MD5

      00fb04d9c85005669cb7ac6c22eec57a

      SHA1

      90ee7ebe86b2a00f92a35c6f63d577bf758b6d2e

      SHA256

      a3884e6d596c3cf658db6f525629f275296bc3cdcbd28d03e7fd103118ad8ec1

      SHA512

      a151d20d3d8ebcc8edcfe81536d28bc95726c2415ea2092084444a04cd808d92d197b79fbc3d01d14026ac112e2e55496c424cebfd02c4150ab05644962b09a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_knglwfka.fnc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsm8BE6.tmp\System.dll
      Filesize

      12KB

      MD5

      4add245d4ba34b04f213409bfe504c07

      SHA1

      ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

      SHA256

      9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

      SHA512

      1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsm8BE6.tmp\nsDialogs.dll
      Filesize

      9KB

      MD5

      1d8f01a83ddd259bc339902c1d33c8f1

      SHA1

      9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

      SHA256

      4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

      SHA512

      28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

      Download Submit

    • memory/1196-444-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1196-445-0x0000000070260000-0x00000000703DB000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1824-451-0x0000000003F40000-0x0000000004340000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1824-449-0x0000000000140000-0x00000000001C0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1824-452-0x0000000003F40000-0x0000000004340000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1824-448-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1824-447-0x0000000000140000-0x00000000001C0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1824-455-0x0000000077890000-0x0000000077AA5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1824-459-0x0000000000140000-0x00000000001C0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2944-425-0x0000000070950000-0x000000007099C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3012-424-0x0000000007090000-0x00000000070A4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3012-374-0x0000000005440000-0x0000000005794000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3012-404-0x0000000007050000-0x0000000007061000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3012-403-0x0000000006DC0000-0x0000000006E63000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3012-393-0x0000000070950000-0x000000007099C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3012-383-0x0000000005C80000-0x0000000005CCC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3200-461-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3200-463-0x0000000077890000-0x0000000077AA5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3200-460-0x0000000002CF0000-0x00000000030F0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3200-456-0x00000000010A0000-0x00000000010A9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3548-414-0x0000000070950000-0x000000007099C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5036-358-0x0000000006F50000-0x0000000006F6E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5036-346-0x0000000005FD0000-0x000000000601C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5036-369-0x0000000007600000-0x000000000761A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5036-368-0x0000000007500000-0x0000000007514000-memory.dmp

      Filesize

      80KB

      Download

    • memory/5036-367-0x00000000074F0000-0x00000000074FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5036-366-0x00000000074C0000-0x00000000074D1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/5036-359-0x0000000006F80000-0x0000000007023000-memory.dmp

      Filesize

      652KB

      Download

    • memory/5036-348-0x000000006C8F0000-0x000000006C93C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5036-360-0x0000000007900000-0x0000000007F7A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/5036-361-0x00000000072C0000-0x00000000072DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5036-364-0x0000000007330000-0x000000000733A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5036-330-0x0000000004A20000-0x0000000004A56000-memory.dmp

      Filesize

      216KB

      Download

    • memory/5036-347-0x0000000006F10000-0x0000000006F42000-memory.dmp

      Filesize

      200KB

      Download

    • memory/5036-370-0x00000000075E0000-0x00000000075E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5036-345-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5036-344-0x0000000005990000-0x0000000005CE4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5036-334-0x0000000005920000-0x0000000005986000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5036-333-0x00000000058B0000-0x0000000005916000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5036-332-0x0000000005710000-0x0000000005732000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5036-331-0x0000000005090000-0x00000000056B8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5036-365-0x0000000007540000-0x00000000075D6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/5044-442-0x0000000070260000-0x00000000703DB000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/5044-441-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/5044-440-0x0000000070260000-0x00000000703DB000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/5044-439-0x0000000000400000-0x0000000000549000-memory.dmp

      Filesize

      1.3MB

      Download