strrat | 232fea54ac8321f41fa38a31ea3118b7821cb635ebefe1794c6d2e3399d2645a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa3641a70d4bf48894b9e62420055c83_JaffaCakes118.vbs
Size

246KB
MD5

aa3641a70d4bf48894b9e62420055c83
SHA1

b14e467dcde6ef99866cb0835ce2d2df6c1b921f
SHA256

232fea54ac8321f41fa38a31ea3118b7821cb635ebefe1794c6d2e3399d2645a
SHA512

ea372bf621076cbbb628e885428dcaaff2476ddbdebb067c564c9cf567a38bf110d1a4378dd5cdac7935160f2184410ff8e2d2d9f46562c99fbce5232ad186d7
SSDEEP

6144:xxgPhA9k5Ffy9be37tVTfxAj8BjuuPi1hs:xxgvvKOVT5Aj8BjTins

Score

10^/10

strrat wshrat discovery execution persistence stealer trojan

Malware Config

Extracted

Family

strrat

104.248.53.108:8898

Attributes

license_id
HCXX-4KTB-4WZA-FBIK-9QEC
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Extracted

Family

wshrat

http://pluginsrv2.duckdns.org:8899

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 26 IoCs

Processes:

WScript.exe

flow	pid	process
32	3832	WScript.exe
41	3832	WScript.exe
44	3832	WScript.exe
46	3832	WScript.exe
53	3832	WScript.exe
67	3832	WScript.exe
69	3832	WScript.exe
73	3832	WScript.exe
78	3832	WScript.exe
82	3832	WScript.exe
88	3832	WScript.exe
91	3832	WScript.exe
93	3832	WScript.exe
97	3832	WScript.exe
100	3832	WScript.exe
104	3832	WScript.exe
108	3832	WScript.exe
111	3832	WScript.exe
115	3832	WScript.exe
117	3832	WScript.exe
122	3832	WScript.exe
126	3832	WScript.exe
130	3832	WScript.exe
133	3832	WScript.exe
136	3832	WScript.exe
138	3832	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3012 powershell.exe
4452 powershell.exe

pid	process
3012	powershell.exe
4452	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 3 IoCs

Processes:

WScript.exejava.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OCbzFUmFJV.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OCbzFUmFJV.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntfsmgr.jar	java.exe

Loads dropped DLL 3 IoCs

Processes:

java.exejava.exejava.exe

pid process

1712 java.exe
3616 java.exe
1656 java.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2832 icacls.exe

pid	process
1712	java.exe
3616	java.exe
1656	java.exe

pid	process
2832	icacls.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exeWScript.exejava.exejava.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OCbzFUmFJV = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OCbzFUmFJV.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OCbzFUmFJV = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OCbzFUmFJV.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

62 pastebin.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2888 schtasks.exe
Modifies registry class 1 IoCs

Processes:

WScript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings WScript.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

3012 powershell.exe
3012 powershell.exe
4452 powershell.exe
4452 powershell.exe
4452 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3012 powershell.exe
Token: SeDebugPrivilege 4452 powershell.exe

flow	ioc
62	pastebin.com

pid	process
2888	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	WScript.exe

pid	process
3012	powershell.exe
3012	powershell.exe
4452	powershell.exe
4452	powershell.exe
4452	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

WScript.execmd.exejavaw.exeWScript.exejavaw.exejava.execmd.exejava.exe

description	pid	process	target process
PID 4692 wrote to memory of 3012	4692	WScript.exe	powershell.exe
PID 4692 wrote to memory of 3012	4692	WScript.exe	powershell.exe
PID 4692 wrote to memory of 3832	4692	WScript.exe	WScript.exe
PID 4692 wrote to memory of 3832	4692	WScript.exe	WScript.exe
PID 4692 wrote to memory of 3952	4692	WScript.exe	cmd.exe
PID 4692 wrote to memory of 3952	4692	WScript.exe	cmd.exe
PID 3952 wrote to memory of 2908	3952	cmd.exe	javaw.exe
PID 3952 wrote to memory of 2908	3952	cmd.exe	javaw.exe
PID 2908 wrote to memory of 2832	2908	javaw.exe	icacls.exe
PID 2908 wrote to memory of 2832	2908	javaw.exe	icacls.exe
PID 4692 wrote to memory of 4092	4692	WScript.exe	javaw.exe
PID 4692 wrote to memory of 4092	4692	WScript.exe	javaw.exe
PID 3832 wrote to memory of 4452	3832	WScript.exe	powershell.exe
PID 3832 wrote to memory of 4452	3832	WScript.exe	powershell.exe
PID 4092 wrote to memory of 1712	4092	javaw.exe	java.exe
PID 4092 wrote to memory of 1712	4092	javaw.exe	java.exe
PID 1712 wrote to memory of 1480	1712	java.exe	cmd.exe
PID 1712 wrote to memory of 1480	1712	java.exe	cmd.exe
PID 1712 wrote to memory of 3616	1712	java.exe	java.exe
PID 1712 wrote to memory of 3616	1712	java.exe	java.exe
PID 1480 wrote to memory of 2888	1480	cmd.exe	schtasks.exe
PID 1480 wrote to memory of 2888	1480	cmd.exe	schtasks.exe
PID 3616 wrote to memory of 1656	3616	java.exe	java.exe
PID 3616 wrote to memory of 1656	3616	java.exe	java.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa3641a70d4bf48894b9e62420055c83_JaffaCakes118.vbs"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%(','m');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OCbzFUmFJV.vbs"
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%(','A');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version
3⤵
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
4⤵
- Modifies file permissions
PID:2832

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
2⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\ntfsmgr.jar"
3⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
4⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
5⤵
- Creates scheduled task(s)
PID:2888

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3616

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\plugins.jar" mp
5⤵
- Loads dropped DLL
- Adds Run key to start application
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1276,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:8
1⤵
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
6ce7ac760a0d3d33a1c66f7e35fb0687

SHA1
de5b69b0b2f330a0c3e62f41fd51aa2cd5db7c99

SHA256
d3418903dc867d1fc767ded8650c610a42b30e174e7b72e6b7a2c8ae8b782727

SHA512
7b2d0e3d8359ae5783109d6654f09def5d6839a5ccbe952d7164b0a64794b934eb96188acd934ec3ff6437857b360c1a09941520f66c740e7c46955880fcdb5b

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
2b41af17a41cfa5783683e5315b60474

SHA1
b9d615060c298ccc83a99961fd9c47178075a9f3

SHA256
5d7633de09e092f37cce1d97520fc35c7878f8d26cf0aee658c058ec57e8cb8c

SHA512
1c5e3413850c28f697e6ecb636af1af8f9a311a0f950c9c6d789740b280eed0ef99a72ae87a19ca0b68cd441cd6765ba32115d1304f8ef5357c15cb3ead8627b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gbwizpmi.tqv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna8160978156142359804.dll
Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt
Filesize
147B

MD5
faf2f8b188047379978915849af13d28

SHA1
42ecb6f269f3dc3183d3b72b4216010f106d3317

SHA256
4ebfda517657bcc9f2b2e3c3cd13e58e9adef320c0ca1a8ac9aee888d4e1ef8e

SHA512
85c3afedfda0aa63edab3b1c5ed7ef8b06e392d387ea3c16bd28c66a54f72c7cbdd14b8af9428168402313f8a4d203be7e5f8a6732d0d8d52d46fe3963ebde79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3665033694-1447845302-680750983-1000\83aa4cc77f591dfc2374580bbd95f6ba_0c2dbd8b-df2c-459b-9e3f-15002e1e55b7
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\OCbzFUmFJV.vbs
Filesize
38KB

MD5
1afce7b575e10a80f7cde952834e857b

SHA1
a879bd0bf0b2c6334326490aa41d46ec7b597c00

SHA256
966744fdd6c03fd0579356b1a6004057a4568e40dbdfbfaf7509e0f0c47ebc59

SHA512
061b944193a942b7d73aa28fc8917811a2463a327c2f5b2a0beec43900c69696ff2f0c4aadd70a0383ae94b512ef3c93a4c68fe05befb523b22087514afbec90

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar
Filesize
90KB

MD5
fe301367a17023bd41c7f8d7ccd571d6

SHA1
258beed821940d21a08d9f1c4b5c019beaabf6f8

SHA256
9fce9071a5d6dfbd8b557a979bd05209ed03aa2f178d63022810fc834bcde1fd

SHA512
5b631df1739437c8b5e0194c808c858055fcbc555747fa6de9ca81835c9c7f84f55bd1f66711f1a48e9366c3a64d0c4278c21d5ada51d42f3ba844aa2e1ab863

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar
Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar
Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar
Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar
Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
memory/1656-254-0x00000231227E0000-0x00000231227E1000-memory.dmp

Filesize
4KB

Download
memory/1712-182-0x00000206A5210000-0x00000206A5211000-memory.dmp

Filesize
4KB

Download
memory/1712-167-0x00000206A5210000-0x00000206A5211000-memory.dmp

Filesize
4KB

Download
memory/2908-32-0x000001C32B570000-0x000001C32B571000-memory.dmp

Filesize
4KB

Download
memory/3012-0-0x00007FFD531B3000-0x00007FFD531B5000-memory.dmp

Filesize
8KB

Download
memory/3012-12-0x00007FFD531B0000-0x00007FFD53C71000-memory.dmp

Filesize
10.8MB

Download
memory/3012-6-0x0000024B29240000-0x0000024B29262000-memory.dmp

Filesize
136KB

Download
memory/3012-11-0x00007FFD531B0000-0x00007FFD53C71000-memory.dmp

Filesize
10.8MB

Download
memory/3012-15-0x00007FFD531B0000-0x00007FFD53C71000-memory.dmp

Filesize
10.8MB

Download
memory/3616-258-0x0000026A35040000-0x0000026A35041000-memory.dmp

Filesize
4KB

Download
memory/3616-208-0x0000026A35040000-0x0000026A35041000-memory.dmp

Filesize
4KB

Download
memory/4092-127-0x000001B328470000-0x000001B328471000-memory.dmp

Filesize
4KB

Download
memory/4092-94-0x000001B328470000-0x000001B328471000-memory.dmp

Filesize
4KB

Download
memory/4092-74-0x000001B328470000-0x000001B328471000-memory.dmp

Filesize
4KB

Download
memory/4092-101-0x000001B328470000-0x000001B328471000-memory.dmp

Filesize
4KB

Download
memory/4092-134-0x000001B328470000-0x000001B328471000-memory.dmp

Filesize
4KB

Download
memory/4092-130-0x000001B328470000-0x000001B328471000-memory.dmp

Filesize
4KB

Download
memory/4092-92-0x000001B328470000-0x000001B328471000-memory.dmp

Filesize
4KB

Download
memory/4092-61-0x000001B328470000-0x000001B328471000-memory.dmp

Filesize
4KB

Download