wshrat | 37eafb5b25afceacaa6258df49c31f8a9eee650d48dbcaa5e67e054473de087c

Analysis

max time kernel
142s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c697999000d0ed6ceb41eb5eaf6e51c_JaffaCakes118.exe
Size

15.1MB
MD5

7c697999000d0ed6ceb41eb5eaf6e51c
SHA1

c67839d60fc4949ddc8c709351342fcbdf204996
SHA256

37eafb5b25afceacaa6258df49c31f8a9eee650d48dbcaa5e67e054473de087c
SHA512

7c0e4eaa58c3f73e496942daee079ec30e83f3c21b3c133e9f1831d0801f44170da867db680343dfadcf7cd62370474e646ed9f593a5ab31c148b81d33c1b61a
SSDEEP

393216:lHjgup5PtaWM4yI5IR+zcryos1A49/82O9ssxouKj7uSxMzw5o:lH8e5PtaWMS94GRTBK7xLK/uSxMzX

Score

10^/10

wshrat bootkit evasion execution persistence trojan

Malware Config

Extracted

Family

wshrat

http://freehost222.ddns.net:1555

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Themida.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
5	1692	wscript.exe
7	1692	wscript.exe
8	1692	wscript.exe
9	1692	wscript.exe
10	1692	wscript.exe
11	1692	wscript.exe
12	1692	wscript.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Themida.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Themida.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
1516	Themida.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	Themida.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	WScript.exe
2548	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\license = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\license.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\license = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\license.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\license = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\license.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\license = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\license.js\""	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Themida.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Themida.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1516	Themida.exe
1516	Themida.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 28/5/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	8	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 28/5/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	9	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 28/5/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	10	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 28/5/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	11	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 28/5/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	12	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 28/5/2024\|JavaScript-v2.0\|GB:United Kingdom

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1516	Themida.exe
1516	Themida.exe
1516	Themida.exe
1516	Themida.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1516	Themida.exe
1516	Themida.exe
1516	Themida.exe
1516	Themida.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2548	2184	7c697999000d0ed6ceb41eb5eaf6e51c_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2548	2184	7c697999000d0ed6ceb41eb5eaf6e51c_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2548	2184	7c697999000d0ed6ceb41eb5eaf6e51c_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2548	2184	7c697999000d0ed6ceb41eb5eaf6e51c_JaffaCakes118.exe	28
PID 2548 wrote to memory of 1516	2548	WScript.exe	29
PID 2548 wrote to memory of 1516	2548	WScript.exe	29
PID 2548 wrote to memory of 1516	2548	WScript.exe	29
PID 2548 wrote to memory of 1516	2548	WScript.exe	29
PID 2548 wrote to memory of 2804	2548	WScript.exe	30
PID 2548 wrote to memory of 2804	2548	WScript.exe	30
PID 2548 wrote to memory of 2804	2548	WScript.exe	30
PID 2548 wrote to memory of 2804	2548	WScript.exe	30
PID 2804 wrote to memory of 1692	2804	WScript.exe	31
PID 2804 wrote to memory of 1692	2804	WScript.exe	31
PID 2804 wrote to memory of 1692	2804	WScript.exe	31
PID 2804 wrote to memory of 1692	2804	WScript.exe	31

C:\Users\Admin\AppData\Local\Temp\7c697999000d0ed6ceb41eb5eaf6e51c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7c697999000d0ed6ceb41eb5eaf6e51c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themida.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themida.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1516
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\license.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\license.js"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\TMLicenseA1.dat

Filesize
5KB

MD5
062ff1fb32ca03d5a83534c46bbe8541

SHA1
c145cb81deba473e66f3574a3b3e757fac3f7ba1

SHA256
a4d60afcc7a0e628f239c1f18cc503c71872e687526c296b7ea267d20a05ac4c

SHA512
129932e7da520ee5c3c3d0ed08079c5a7d3661b2bee6fb547b6c46fb409fa41e648031d9f94c43d9e3df535948ffb0ed6e21222c1bfa7a751b8471ab6faafb91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themida.exe

Filesize
14.8MB

MD5
9dde110f0c24dd748ecaeff1fce8dce2

SHA1
cd9ec69d30497a30e00df7350166def7570aebca

SHA256
5be578ac246fb2111a2161b977a036da900d96e1262ef36e1974f692ca424005

SHA512
59bf5f423d9a65652cc8e0b52b3b2afd493ebf28ffea09d0cf16b341cff703585a7c97354d8b925c93217dd02602d7bcf5d96f0675a164d6d8ced6868ecf2d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\dolphin32_black.vm

Filesize
2KB

MD5
a6e5aab0dcdfea5f936403b3324789ba

SHA1
29a03a6c3975d5a41b08c0875be7c8773f0624a4

SHA256
6a50fea38830733aa18b284ec00a1d4a87ac8c185baa4ee39745190e8c40e149

SHA512
5cf15f4a03b13fe66071238669eb9b05d7f5a41d2e0307553d0e2bc4a05df4c62369f84db288065774b43e9895477c59310a32a6917e174fb5ca0bd58f5a98bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\dolphin32_red.vm

Filesize
2KB

MD5
5fb70e4f810d72d77071819b61db071d

SHA1
a3791a36274e18608da1b6e27c07e5d80b6768b4

SHA256
f0191d6e1cacd7ba63d0af17de2da992f343ce6b54b1072f33218f5050010ccb

SHA512
c8217829adcea509a445f85c3e34d699a57ef222ec46f092b1dad8ca65b133d504865e65dafaac973c1c44aaf2114d0a67056fd9c940ca15910dac4ae6d3175f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\dolphin32_white.vm

Filesize
2KB

MD5
bb174884720a42883533fc12bb78c58f

SHA1
c3f05c1f8175fe7ab45f21d057578e9eb9546e86

SHA256
7ca0d9a1e4a971d8da434de12f4429ed404b432c57ce1afacaee5accb4353990

SHA512
4cf05892c1463fec4733959898111c646077e1be5e14255cda98e3bea590a21f432e19186d745f0c74daf760b4ccadab33166882501e5a3bb3d11c309e01428f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\dolphin64_black.vm

Filesize
2KB

MD5
4072229bd12668777ce76c2d2b582ba2

SHA1
1369687dff9bd7976c20a639a8031cfe510354c5

SHA256
4c5c3e67741b651ee7625768b0c4e8d9b35fc66a738f1db558be07fc48bdd06b

SHA512
dabee5f0f9f5ca70d51a3785a2207d5b0452ce46d33f05ee4b736ee4ec6892ea2bec28ebbe25e2626211325ffbe2a2cde0d6bdfe83d6c32be9af4cb0f9c5de53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\dolphin64_red.vm

Filesize
2KB

MD5
b629a5d05108c097038352ce45b4934d

SHA1
6efd78ba31f285632d43c5ab6b599b8724a58e7f

SHA256
cfe9977238ac61286bb959e58fd77382b01964d4bb28499626028d02f41ef59a

SHA512
789937b67c98bdbf8244813b9927eafd914a768419b141625e3555e4130d6d55babb2fd61512298bbe1db4b92353106f0f9b10a4647f5278c64b9587fcb214ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\dolphin64_white.vm

Filesize
2KB

MD5
e4bae5af38063a3526759ba68498c18e

SHA1
932b96b2b7007e8d38416df69fbc7142ae796eda

SHA256
58b08a225b420776420de6df1b3a1ec671133f67d10a81bbdf4e3c4cfacc45b1

SHA512
35b6f40dcff7fbfe4c155fc450d19d895d0b82a4a3c85fae1c79a691b2fb98b7d768e51f3f743faae2c5ded4d5211dc91bd39166f460a6b00ce6305025e9f128

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\eagle32_black.vm

Filesize
3KB

MD5
cbeb2e84dfb1d2359365c43e673db1fb

SHA1
0ea5a4fcfcca112c2edced26c148dbd6bd7ea7f7

SHA256
5d09dc7512372117292822e841f3c5226d9fe20db014281e0abaac8a9072358f

SHA512
f69cf26211bf02da3ec42454bd48500c03c2064e8d22cf73b41617c573354fb1b92ac46b068aecda2657e6a1100b81460ce4e9c3786f1a10aa12748a90ede610

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\eagle32_red.vm

Filesize
3KB

MD5
0c8954a48d9b7b3e73f67f736f712b9c

SHA1
f3ec98e344a583d6f412a80cfea5ce8ad1a73877

SHA256
44824486e1819ff1e96f78a07b692ac14915b821acfeb2f41daad728e4f23593

SHA512
8c23cca14671cd325b240378edb772bf605d27316545245ec49a386432782f809e87a8a18db5faaa7dc496f03b9e49862db270e94e42c6c1dece7fcbd809d0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\eagle32_white.vm

Filesize
3KB

MD5
22dcd5403760b82c318afd76ed7e9a97

SHA1
2d88f5da25deddfc20c907f4316e9e15c84dde3e

SHA256
84a89664e6a9751f4d811592df10b9097846df4c54c786c94dfcb8d73800b9cc

SHA512
7360e769e334a3480347458b5178c449147cbc4b06381bbc07ad85dfc37ece4836f929e912cfddb24f40de35a4f982966d8bd4362c037e3726679c93c545c523

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\eagle64_black.vm

Filesize
3KB

MD5
a3441b9017686b32e3be22e1c189ebaa

SHA1
ba29ccdfe3860e6f11bc53c2346008e570162b34

SHA256
81636409b1759ea512a397a7c393d0976e1dfd2b6dd6dc3f769342777252a973

SHA512
d426570470dbc8049ade16ee3ba77e3e4fd0a0abb5e4822a59a365196c5451cf1a4425f60deb7f2b4a74785c38c7cc4d55bb421ca92a63910cc6220095ce2951

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\eagle64_red.vm

Filesize
3KB

MD5
63d99cf4adac70db2ad866aa261caf9b

SHA1
a20bc75b310b3e04ca66a539fa4f2c2162c0f8a7

SHA256
b8e4e9b6bbd3bcebdb460d4e250fe4525d8d723c9e9c0de937b9cba58e55d0fc

SHA512
668fe064de94d77ce9afad583f2853ab6b2f532a007a8fa254ef1e6eb52c6638c34675a18d5a0c77e65a0f961ce8d3131b4f6975a5090f8327bcee3654b319e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\eagle64_white.vm

Filesize
3KB

MD5
6b129631ab40630fdeccb08ed01fe7d3

SHA1
0959c12085398697f341a4214a55f1f5d6c2b397

SHA256
fb9e0c18d7bddb6fc29045f5d3f34d24dd8e70fddfae7bd6d3037444ce5ae700

SHA512
05f730968a9289f8480eb31c9ab71211c23b259f19232de24eb5a7e229b7a887e602fb43c59e2bac24409bcdcb7fac71886f735c57b4e453e56d91d8e35c2110

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\fish32_black.vm

Filesize
2KB

MD5
11327658b4bdc55181f668c1714297bf

SHA1
8f4c904b66ce3431071b18457253b6a9cb8854c1

SHA256
dee4ec599fd974992d13a116881bf724e03f735b4a4d6a3e6d95e39c26eadc2c

SHA512
5eaa8c902f2302a923fcfbd099aea3700e8041dac1fc925bbbc681903123e6dde77b9e94192b532b3b6d5601c803774b6dbfd12c8f734b5e94b8eb50c9f126e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\fish32_red.vm

Filesize
2KB

MD5
9a39a8c4fa63eb3cd5792b5babcd79ed

SHA1
a3e0963728b5ef20df5448193bce4c7323803223

SHA256
c4b33d9e40a57d3059c9f92eac4bec2b5fd7d7c3b2a5c16fa090e69eed49ee81

SHA512
9693ab488a5584cc0f718517f43cd01d275b79829bc10ff2705d81e4d19aa6a0db76a53239fa560a30571bc78dd2788a419d7342812c3bbe1f868853908f1c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\fish32_white.vm

Filesize
2KB

MD5
281fad30559432ef99ec9ad410a3ea79

SHA1
6d9324fc6a2a285a53f4e78a2d684b62a26a8dab

SHA256
6232379c0ce94efc1dcb9af56147b999b8c4f1cae352cdac4634823803f7390f

SHA512
742fc89321d4933ee0b7ea665b24d5c5d2d17e7f55dc7bacd7fbb449140a72ea43c81711249ae0b182ebc2b1ede553711bac70aeade93f6e0c01c7131fe637af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\fish64_black.vm

Filesize
2KB

MD5
b87ec0d5a64bfc6ad9a2544659aae8b5

SHA1
1c941c4a08312b1f6be58926814c808e73f150cb

SHA256
e7c68d401672835fc55cea7b97f6dd4b204b14bb8c5a4c824b5d856c1d06cfca

SHA512
1a47cf51c402239f9802b3f0603e54857b8139abbb5fc711c873d153e5542a8f257550af7f8321c35b267e2d54c818c70a7e93cb534117b877dbb2ff468fa0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\fish64_red.vm

Filesize
2KB

MD5
2512fd9d393388019d59fa763ef83eae

SHA1
cb029fdab73e93765281c8fe58a7ca61fa24600f

SHA256
a83da4b13344ebd2b52f0bdd99666c3f7ee84b93116f2e27b68bf1a1d666e56a

SHA512
0ac707c5cd1ca17907b1731360659c304c7b96d8b69849c5d4823d0b2d2b42b31d3375f536878f574efa2ca4ac59fa0a0c06bb45268642e2b7f2e27aaa5eedea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\fish64_white.vm

Filesize
2KB

MD5
602c33513f508106dd52e71974a46ab4

SHA1
b3803b2c1f5bf2c25bff489457c44a6e7583f474

SHA256
d1424f4417e113c08287a1cbff400f4610c2791a4b4c3a1dd0fc9852e731fe7f

SHA512
048a72f60a3fe33e32610c076f21280baa8afce75c1713bc9b8c94e32719f57151c3a23c187f0deb535dd553bbfda321b71f9e01ed4c2f9857b7d9d2127e2445

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\puma32_black.vm

Filesize
3KB

MD5
3dedf4fbb2e0a43c94993fead88efa89

SHA1
03192dac4da521419e47e3c5d05e85bc8f592c2e

SHA256
271e987b088a2b168d30df10a82665c38a55572e96010a13c5476892a8ffac73

SHA512
090f43b140125a68d8229feffd6a8c9163273c00f8bfdf400355db94351011de1c3b3f4001eb58be2e9ead7aeaa21c82fcd699aca3cccdf5ab4fcc8b9c949220

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\puma32_red.vm

Filesize
3KB

MD5
74c57c9b71d9fd9ad9d11e5d0024b32e

SHA1
cac26a548d0da85c68bb3198c2a0ed33796a5259

SHA256
771dbb95e4d605b3847353efce337e91e3f2357dac27fa9a6c8f53cf3f845c08

SHA512
79b56275c39376cae07b13288ceeea1647ee65b0a6004fe3bf0fea80030ab5ee887c0bac4c7172cf397249fbbfeff3a80257759ed4f42b1c0c9c20c90c2c31da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\puma32_white.vm

Filesize
3KB

MD5
29b4aaec06fe1e4765b1a23b44915d6d

SHA1
14f14e5f1438df1325632b495b1f51afd4f61d12

SHA256
f50810ce6b183b285c11c8ba012610e543879922f8ec241339810f07f07c8b25

SHA512
ef1c76948e8762be7d54ff3fd3f85afe1bc32301e21130acde02e2c5d52c64882554ac180847d680c674e30c5ff192a0776eebd1bc8c963fce8be0129cfe9b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\puma64_black.vm

Filesize
3KB

MD5
2776d33d620808e65d5d15caae1ab8d4

SHA1
dc75e46ff696d92a7747c9048ddec17677866ee3

SHA256
86fdfdcaff10978afb93f1108fa85c0f9086e5c3bb3775d231f5c9910ec65937

SHA512
ee25b4a026bd4dd46e0940a6b8e55a94e1bee28d721b9af3bb6ebd7f920cfdc189c5d77519f0fcf59cac2ab1eae90c2c1624c5689ad227aba3f28be51e904220

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\puma64_red.vm

Filesize
3KB

MD5
91439f040d2b0cf2d7d293300df7f331

SHA1
5c03fc2ed81a65804e5598d4c4db4768352580a6

SHA256
49660834559e5698bcfde12ae525ee282bcaa8aafb86504c3da35eaa97d5d9d6

SHA512
24a2c2dba220d5bca05b1726753c89f99551053344184fb025d59479a8e509de7c0ebff6696421be962f7464f66b23677265c2db53e7996a87d634db3b7112d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\puma64_white.vm

Filesize
3KB

MD5
99dee73f938fd211e913ff9b733c33b3

SHA1
579523facfa2f4114c175f5fc2a94ae2cc4fedc0

SHA256
6161040a0423f1da576f25ee8e2784425efce686727efe1dd770c6d48e689bee

SHA512
1e69eebea59e772312ce1231b94327b9f4e6d7ac2bd9d5b1ca6e70c1286dba6789e56b82af596953547751f9bf4a61e99045448adc4d9e658ba65a9cfcc931e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\shark32_black.vm

Filesize
3KB

MD5
4751dbc42566da935d6a950adc1afc50

SHA1
0590e83d685b08d7d37e3dd5a135fbd0a980312b

SHA256
251414d2033e176d2ff393f5ca7d96a8de9ad6084aa6ff8111a4eba7603e4a4a

SHA512
dd9852f90e894ede730582f5a8a4be5e3e78063a83ed020efb7634a6d78edb9eac33325a3523d71548f7d4de7ea6b651f676665fefd75fe3f373b9a9a467408d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\shark32_red.vm

Filesize
3KB

MD5
4b265b0965720f6617bc0a8816509787

SHA1
2260d29e62334ee75226b54e58e46452622d9f18

SHA256
73e068168464155f5587efbe55158a8a4cc27cdb82a16527652ebd075ebc10a4

SHA512
daa4d2809700cb7302909ef32c080b0b5287f0e82eadd3b0b02315e6725bf4179263a282e0a7e80fd3f5357427a9414a35d9f746e64e517a21f65928894cbddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\shark32_white.vm

Filesize
3KB

MD5
38ffd8b794ade770f157c71f8750ef20

SHA1
cab20f5c076954b99b7c8d2c94f9e2ae7d417ac2

SHA256
bba5fad22229f63e6ed7ade24b907f55e97752f366df97e9176dc2b223e77b9a

SHA512
52d7d643da018fbe1b25d80f3515424e61f5ff37aa78eb843b35769c146a9559ac875d75772323414f9f65ce244aee9d4915b7b473e9f61a22b26c9ee3b1a248

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\shark64_black.vm

Filesize
3KB

MD5
9415bf1d790b879f14e481b2bf4d3235

SHA1
dd3c4b45d82a90581109c376181c31fbc673a933

SHA256
8a545b8de4c09eda770be8046bc47e048f2981141a1f75fbb98b5f156bb638a3

SHA512
cdff05d99c8164a45c41b58dacb7edd0aa7d9de821eda4d1442df8cad7eefffaf898fcbbdbcfd508c5163133cda69fca4fabb3ba41d425485ea8f4a43c560ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\shark64_red.vm

Filesize
3KB

MD5
54bc29577ea9408deb0f01bd0343e0e7

SHA1
8e50b6fced59464f8962d13c8f5ba536981edc86

SHA256
a631c5af0f2c868b8d340239143ef5de8b958481d880444ebffe91863fb119f9

SHA512
a6d198628a4f8286f53a13f28185f3d22de277d7bcba1151e1e9b3d33aea9fffa4b9ea861336bf5352bc81601446cc4898b428075f677b3d861af07038168eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\shark64_white.vm

Filesize
3KB

MD5
0e393f3a0d83d3fddabedd077128ec5f

SHA1
a1628d30d6e24ffdf012c3ac6d48c7eb7daab83c

SHA256
e20119e3a0739bae403d302b933562259efe1b8a1f51659650ec9d81bef6bc14

SHA512
7b202e54afdc9f1e4813abd2b15c6c5ebc979808766c758731b91518f9cf43a035c8c1ee9d9fb5733f4aadad7d57eb7c7b8bb6d61e6b93ef7e219cc5048fca2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\tiger32_black.vm

Filesize
2KB

MD5
4869f9d01618a693d54726c4f69f2c38

SHA1
467505c4d378991cbef72de1b9e85c204c33be9c

SHA256
449b9160344884f052ba5fb9b013106e98fbf223904fb1f4b86275b330bcfe83

SHA512
662630a03b6a7118ae298dbfe942f8883323b8553095fc5a9a9054f5667a98eb4f14dedb15bf0f0fdbd627d44561674f96fadd65cbcad43e417287cf3619692e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\tiger32_red.vm

Filesize
2KB

MD5
70a4d7e8deef47b69980daa4f6730f4d

SHA1
d0cc1efc4e7216b55c77666d8baa581e1d545c19

SHA256
e91284e96e8faae4db9cd1df91334e50749ac04bdc1b7bec8e333b149a8e3dd9

SHA512
70f09fe7b4b70f1c0ee170fd3f212017954afda9b5fcd27be06352fa89e6567cd3623ada5a2553431d39e2b63713cc65c6856262f5f262b618a93b0500847fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\tiger32_white.vm

Filesize
2KB

MD5
3c23f346b210d6ecee2905e98f63d4e4

SHA1
6a5eb323d3ff179ff0fc4e4cea07c0037ac6d07c

SHA256
9e0d061111a3c239552fa8f25d419b005e2994665a39593890eb1ac0bfd17b2c

SHA512
1a0d4a7dac37bc210be10bd82525e7cee0f3513835484502bcaa8b9fe0c79a343e8bd1f1cb86639277b266d74eedaf8fd1ca7c68e4c7ac92d1dcafc763b7ccfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\tiger64_black.vm

Filesize
2KB

MD5
52a5dd937392391fdd874b944ae887de

SHA1
071b4be35957c5a9e7b4c351d65ca9609244c327

SHA256
6353b37d1aa06ef175ef2b2f5fbf41fc52ff056cdff59250fe653744de94b4d3

SHA512
e9dec32b47c63f75a0070141f4fca3846645e6c152a7f1ecd5c899064b0e5ae47708a352ab5e59c95ae081c2b1817b60115ed923c8c7536d37ae9cc142042c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\tiger64_red.vm

Filesize
2KB

MD5
92106dbd1a4285826243a7870f8763f2

SHA1
8600836593646a265ca0c023d12b13af902baa8d

SHA256
a7e89b85f101af348a4c8ddbcef33627357c837a330d83d260c98cd774143da0

SHA512
0d3015144680c5a0baef9006e6919ea2e4bdbf2d4f5cc163fbac1623c6b3bdff8c93378ab69cb99fd13c3313d8eb44e6e67fa0e316423ea3cee803ca31aaa1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\custom_vms\public\tiger64_white.vm

Filesize
2KB

MD5
0e326afc9c59f553ce1b4d242c23d514

SHA1
63d8e07e750e9bc0f2359ebf17453c61e2e4124f

SHA256
abc09860be9415fdfe21835269ed2c9fdcf905bfe634774c05347660cd45b1a4

SHA512
15816e5fee25911619a1bcd64649ffa981860e0b762fc68c6685f8dfe11910a5187d6539aed89893b5a20a224ce43651976e9f6ddc010fad4334dd2cfc8b129a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\license.js

Filesize
74KB

MD5
3ae5d683f6ac3b8e94046b04c87927de

SHA1
ace802d67421aabcf9ba3ba21632468f0265a2e2

SHA256
c439374dede22f38738d6c955764542c1528956c4d4b773a4dec12a4f34dba44

SHA512
ad3ba4ef0d4940b397d759edda1c45cffdeb1d684e04c787ba0be34dfd38e23ce375e4256237b33ec485f7f9b909277b3f6fd9e93d450087a31251abb164f7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs

Filesize
139B

MD5
1dd5898d3ae55e741e71cbefa4079a39

SHA1
5f2c47dad5cb6e8bf938f5c72f9f45457fcbb4ad

SHA256
90d7b1b6f39b73a3dc55e88a6607d2889a3efd48b1cd55c7fb1ed4896949db78

SHA512
f4b3af4cbd20de5b32b56958db62469595dd3f1138d3a57c4f1292e6a47b2aef960fa710efa9218c17fe9f64796c0b1e4fbf0d8b97f941966a06ea11ec99487d

Download Submit
memory/1516-112-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-105-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-125-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-146-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-147-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-158-0x0000000077270000-0x0000000077310000-memory.dmp

Filesize
640KB

Download
memory/1516-157-0x0000000000400000-0x00000000022D1000-memory.dmp

Filesize
30.8MB

Download
memory/1516-159-0x0000000005D00000-0x0000000005D1D000-memory.dmp

Filesize
116KB

Download
memory/1516-128-0x0000000007AE0000-0x0000000007BAA000-memory.dmp

Filesize
808KB

Download
memory/1516-129-0x0000000007AE0000-0x0000000007BAA000-memory.dmp

Filesize
808KB

Download
memory/1516-134-0x0000000005D00000-0x0000000005D1D000-memory.dmp

Filesize
116KB

Download
memory/1516-135-0x0000000005D00000-0x0000000005D1D000-memory.dmp

Filesize
116KB

Download
memory/1516-142-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-144-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-145-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-148-0x0000000007BB0000-0x0000000007BCC000-memory.dmp

Filesize
112KB

Download
memory/1516-149-0x0000000007BB0000-0x0000000007BCC000-memory.dmp

Filesize
112KB

Download
memory/1516-123-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-143-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-122-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-121-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-126-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-124-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-127-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-107-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-108-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-113-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-115-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-117-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-118-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-120-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-110-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-119-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-116-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-114-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-104-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-111-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-109-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-106-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-97-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-98-0x0000000010000000-0x00000000122C7000-memory.dmp

Filesize
34.8MB

Download
memory/1516-198-0x0000000000400000-0x00000000022D1000-memory.dmp

Filesize
30.8MB

Download
memory/1516-88-0x0000000000400000-0x00000000022D1000-memory.dmp

Filesize
30.8MB

Download
memory/1516-196-0x0000000000400000-0x00000000022D1000-memory.dmp

Filesize
30.8MB

Download
memory/1516-197-0x0000000077270000-0x0000000077310000-memory.dmp

Filesize
640KB

Download
memory/2548-87-0x00000000040D0000-0x0000000005FA1000-memory.dmp

Filesize
30.8MB

Download
memory/2548-89-0x00000000040D0000-0x0000000005FA1000-memory.dmp

Filesize
30.8MB

Download