Analysis
-
max time kernel
111s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 21:14
Static task
static1
Behavioral task
behavioral1
Sample
Ziproar.exe
Resource
win10v2004-20220901-en
General
-
Target
Ziproar.exe
-
Size
1.2MB
-
MD5
2ec2320d4eed30db02d36b9dacfb44e9
-
SHA1
018d7d4a124aa6e8a17586d4610608bc4e84533c
-
SHA256
5bcd2e971509198523001843ba1f8d7e5cd1aebcf2e347acc58a21fbb8307aee
-
SHA512
8a834cee216dfba2635cd0b9e0c5a9cadcfd100e7427651416c8fb65bdeb01c23a63fe3abb4306bebeee7f54327de9aa4da85418761b710d6d549919dd23c10d
-
SSDEEP
24576:cLlgAi31nyHQLAgcDyOTG64fvVxSWsdezc0SEI:cy3nyHQLAgcRV4fHfhkEI
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ZipRoar.exeZR.exepid process 3256 ZipRoar.exe 4688 ZR.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Ziproar.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Ziproar.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 12 IoCs
Processes:
ZipRoar.exepid process 3256 ZipRoar.exe 3256 ZipRoar.exe 3256 ZipRoar.exe 3256 ZipRoar.exe 3256 ZipRoar.exe 3256 ZipRoar.exe 3256 ZipRoar.exe 3256 ZipRoar.exe 3256 ZipRoar.exe 3256 ZipRoar.exe 3256 ZipRoar.exe 3256 ZipRoar.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221123211534.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\97473d58-2af5-40bf-bed9-5e8d778f8c38.tmp setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4308 4688 WerFault.exe ZR.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4364 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Processes:
ZipRoar.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 ZipRoar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 ZipRoar.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 ZipRoar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 ZipRoar.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a ZipRoar.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a ZipRoar.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 ZipRoar.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 ZipRoar.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exeZR.exemsedge.exeidentity_helper.exepid process 3104 msedge.exe 3104 msedge.exe 4688 ZR.exe 4688 ZR.exe 1732 msedge.exe 1732 msedge.exe 3408 identity_helper.exe 3408 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ZipRoar.exetaskkill.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 3256 ZipRoar.exe Token: SeDebugPrivilege 4364 taskkill.exe Token: 33 2168 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2168 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
msedge.exepid process 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe 1732 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
ZipRoar.exepid process 3256 ZipRoar.exe 3256 ZipRoar.exe 3256 ZipRoar.exe 3256 ZipRoar.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Ziproar.exeZipRoar.exeZR.execmd.execmd.exemsedge.exedescription pid process target process PID 1728 wrote to memory of 3256 1728 Ziproar.exe ZipRoar.exe PID 1728 wrote to memory of 3256 1728 Ziproar.exe ZipRoar.exe PID 1728 wrote to memory of 3256 1728 Ziproar.exe ZipRoar.exe PID 3256 wrote to memory of 4688 3256 ZipRoar.exe ZR.exe PID 3256 wrote to memory of 4688 3256 ZipRoar.exe ZR.exe PID 3256 wrote to memory of 4688 3256 ZipRoar.exe ZR.exe PID 4688 wrote to memory of 3560 4688 ZR.exe cmd.exe PID 4688 wrote to memory of 3560 4688 ZR.exe cmd.exe PID 4688 wrote to memory of 3560 4688 ZR.exe cmd.exe PID 3560 wrote to memory of 4364 3560 cmd.exe taskkill.exe PID 3560 wrote to memory of 4364 3560 cmd.exe taskkill.exe PID 3560 wrote to memory of 4364 3560 cmd.exe taskkill.exe PID 4688 wrote to memory of 1868 4688 ZR.exe cmd.exe PID 4688 wrote to memory of 1868 4688 ZR.exe cmd.exe PID 4688 wrote to memory of 1868 4688 ZR.exe cmd.exe PID 1868 wrote to memory of 1732 1868 cmd.exe msedge.exe PID 1868 wrote to memory of 1732 1868 cmd.exe msedge.exe PID 1732 wrote to memory of 4848 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4848 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 4972 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 3104 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 3104 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 1380 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 1380 1732 msedge.exe msedge.exe PID 1732 wrote to memory of 1380 1732 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ziproar.exe"C:\Users\Admin\AppData\Local\Temp\Ziproar.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ZipRoar\ZipRoar.exe"C:\Users\Admin\AppData\Local\ZipRoar\ZipRoar.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ZipRoar\ZR.exe"C:\Users\Admin\AppData\Local\ZipRoar\ZR.exe" 60480 03⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im msedge.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msedge.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start msedge4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82e3546f8,0x7ff82e354708,0x7ff82e3547186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5528 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5192 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4260 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings6⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff69b215460,0x7ff69b215470,0x7ff69b2154807⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4260 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5684 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5840 /prefetch:86⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 11164⤵
- Program crash
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4688 -ip 46881⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e8 0x4941⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ZipRoar\Configuration.dllFilesize
57KB
MD53b8a0187e673363ac8922d1dcd31f849
SHA1dbcbd5e4d43ff717bd36ffb8e63dab84d9cf23c9
SHA25624c1f6fc25b287045833fe3d313c71d70a92fd442ae3818c776bd5a8f86e0833
SHA51244fd03cff504ff9edfe7d292906341e6d2bfbda23904634dacfa083bc9e05ab160bd8fe325f583f1a6dd291c153610834560e0520fa664634d84bc7f58080668
-
C:\Users\Admin\AppData\Local\ZipRoar\Configuration.dllFilesize
57KB
MD53b8a0187e673363ac8922d1dcd31f849
SHA1dbcbd5e4d43ff717bd36ffb8e63dab84d9cf23c9
SHA25624c1f6fc25b287045833fe3d313c71d70a92fd442ae3818c776bd5a8f86e0833
SHA51244fd03cff504ff9edfe7d292906341e6d2bfbda23904634dacfa083bc9e05ab160bd8fe325f583f1a6dd291c153610834560e0520fa664634d84bc7f58080668
-
C:\Users\Admin\AppData\Local\ZipRoar\Configuration.dllFilesize
57KB
MD53b8a0187e673363ac8922d1dcd31f849
SHA1dbcbd5e4d43ff717bd36ffb8e63dab84d9cf23c9
SHA25624c1f6fc25b287045833fe3d313c71d70a92fd442ae3818c776bd5a8f86e0833
SHA51244fd03cff504ff9edfe7d292906341e6d2bfbda23904634dacfa083bc9e05ab160bd8fe325f583f1a6dd291c153610834560e0520fa664634d84bc7f58080668
-
C:\Users\Admin\AppData\Local\ZipRoar\Configuration.dllFilesize
57KB
MD53b8a0187e673363ac8922d1dcd31f849
SHA1dbcbd5e4d43ff717bd36ffb8e63dab84d9cf23c9
SHA25624c1f6fc25b287045833fe3d313c71d70a92fd442ae3818c776bd5a8f86e0833
SHA51244fd03cff504ff9edfe7d292906341e6d2bfbda23904634dacfa083bc9e05ab160bd8fe325f583f1a6dd291c153610834560e0520fa664634d84bc7f58080668
-
C:\Users\Admin\AppData\Local\ZipRoar\Configuration.dllFilesize
57KB
MD53b8a0187e673363ac8922d1dcd31f849
SHA1dbcbd5e4d43ff717bd36ffb8e63dab84d9cf23c9
SHA25624c1f6fc25b287045833fe3d313c71d70a92fd442ae3818c776bd5a8f86e0833
SHA51244fd03cff504ff9edfe7d292906341e6d2bfbda23904634dacfa083bc9e05ab160bd8fe325f583f1a6dd291c153610834560e0520fa664634d84bc7f58080668
-
C:\Users\Admin\AppData\Local\ZipRoar\Interop.IWshRuntimeLibrary.dllFilesize
48KB
MD5d5f9fc1dab643687d971de1f8e5f6a27
SHA14ad25e71ba405893391afbb7852b5b32b1add413
SHA256aedd7030adee4845e05210611bcb81cbfb614793398f50587ff1d99a9f5dfb9e
SHA512893bf28a730dad7717b1eeee7f1398d02f9f9fd438ce1daf43b3e91c9bcf31d4538c256c9595596fdfb954b0576b2e3f2da7fafa5130ddbe0cfad75536edea87
-
C:\Users\Admin\AppData\Local\ZipRoar\Interop.IWshRuntimeLibrary.dllFilesize
48KB
MD5d5f9fc1dab643687d971de1f8e5f6a27
SHA14ad25e71ba405893391afbb7852b5b32b1add413
SHA256aedd7030adee4845e05210611bcb81cbfb614793398f50587ff1d99a9f5dfb9e
SHA512893bf28a730dad7717b1eeee7f1398d02f9f9fd438ce1daf43b3e91c9bcf31d4538c256c9595596fdfb954b0576b2e3f2da7fafa5130ddbe0cfad75536edea87
-
C:\Users\Admin\AppData\Local\ZipRoar\Interop.IWshRuntimeLibrary.dllFilesize
48KB
MD5d5f9fc1dab643687d971de1f8e5f6a27
SHA14ad25e71ba405893391afbb7852b5b32b1add413
SHA256aedd7030adee4845e05210611bcb81cbfb614793398f50587ff1d99a9f5dfb9e
SHA512893bf28a730dad7717b1eeee7f1398d02f9f9fd438ce1daf43b3e91c9bcf31d4538c256c9595596fdfb954b0576b2e3f2da7fafa5130ddbe0cfad75536edea87
-
C:\Users\Admin\AppData\Local\ZipRoar\Interop.IWshRuntimeLibrary.dllFilesize
48KB
MD5d5f9fc1dab643687d971de1f8e5f6a27
SHA14ad25e71ba405893391afbb7852b5b32b1add413
SHA256aedd7030adee4845e05210611bcb81cbfb614793398f50587ff1d99a9f5dfb9e
SHA512893bf28a730dad7717b1eeee7f1398d02f9f9fd438ce1daf43b3e91c9bcf31d4538c256c9595596fdfb954b0576b2e3f2da7fafa5130ddbe0cfad75536edea87
-
C:\Users\Admin\AppData\Local\ZipRoar\Interop.IWshRuntimeLibrary.dllFilesize
48KB
MD5d5f9fc1dab643687d971de1f8e5f6a27
SHA14ad25e71ba405893391afbb7852b5b32b1add413
SHA256aedd7030adee4845e05210611bcb81cbfb614793398f50587ff1d99a9f5dfb9e
SHA512893bf28a730dad7717b1eeee7f1398d02f9f9fd438ce1daf43b3e91c9bcf31d4538c256c9595596fdfb954b0576b2e3f2da7fafa5130ddbe0cfad75536edea87
-
C:\Users\Admin\AppData\Local\ZipRoar\Newtonsoft.Json.dllFilesize
495KB
MD5283544d7f0173e6b5bfbfbc23d1c2fb0
SHA13e33b2ef50dac60b7411a84779d61bdb0ed9d673
SHA2569165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735
SHA512150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b
-
C:\Users\Admin\AppData\Local\ZipRoar\Newtonsoft.Json.dllFilesize
495KB
MD5283544d7f0173e6b5bfbfbc23d1c2fb0
SHA13e33b2ef50dac60b7411a84779d61bdb0ed9d673
SHA2569165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735
SHA512150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b
-
C:\Users\Admin\AppData\Local\ZipRoar\Newtonsoft.Json.dllFilesize
495KB
MD5283544d7f0173e6b5bfbfbc23d1c2fb0
SHA13e33b2ef50dac60b7411a84779d61bdb0ed9d673
SHA2569165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735
SHA512150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b
-
C:\Users\Admin\AppData\Local\ZipRoar\Newtonsoft.Json.dllFilesize
495KB
MD5283544d7f0173e6b5bfbfbc23d1c2fb0
SHA13e33b2ef50dac60b7411a84779d61bdb0ed9d673
SHA2569165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735
SHA512150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b
-
C:\Users\Admin\AppData\Local\ZipRoar\Newtonsoft.Json.dllFilesize
495KB
MD5283544d7f0173e6b5bfbfbc23d1c2fb0
SHA13e33b2ef50dac60b7411a84779d61bdb0ed9d673
SHA2569165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735
SHA512150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b
-
C:\Users\Admin\AppData\Local\ZipRoar\ZR.exeFilesize
662KB
MD59f1911283eced232b7d6844ad210866d
SHA15e9fe88b90765d4aeef0c164a6fe6ac4a8f16365
SHA2562494d98172f7397841031d87e95bfa535221c7e9f383836e566e794029f695f8
SHA5121e72976f192dd0a7a6631f1b9c6553dbcaafc35e386047d3c73348b529bbc927b5c2a7e2fa9512f6c4530dd0f89403b638ef0fdc444c1baedd722bd7b385d465
-
C:\Users\Admin\AppData\Local\ZipRoar\ZR.exeFilesize
662KB
MD59f1911283eced232b7d6844ad210866d
SHA15e9fe88b90765d4aeef0c164a6fe6ac4a8f16365
SHA2562494d98172f7397841031d87e95bfa535221c7e9f383836e566e794029f695f8
SHA5121e72976f192dd0a7a6631f1b9c6553dbcaafc35e386047d3c73348b529bbc927b5c2a7e2fa9512f6c4530dd0f89403b638ef0fdc444c1baedd722bd7b385d465
-
C:\Users\Admin\AppData\Local\ZipRoar\ZipRoar.exeFilesize
401KB
MD536a981f83e01fc2fd6989ae2dd6282f3
SHA1ecab92460b72e5c51b5e7754ba232d0eed79f646
SHA256fac0076d6ee5943ba2c8d85afff03909bc32ac5da8d2da0adc655fb1f4ea9025
SHA51291cd3d091ef3b9464b60437a14710dab7f400126c95038643f507925138fe98e18cc156cd79f740e0e9fb7eae30b2f832cbe41ffe183c500e85129095d691944
-
C:\Users\Admin\AppData\Local\ZipRoar\ZipRoar.exeFilesize
401KB
MD536a981f83e01fc2fd6989ae2dd6282f3
SHA1ecab92460b72e5c51b5e7754ba232d0eed79f646
SHA256fac0076d6ee5943ba2c8d85afff03909bc32ac5da8d2da0adc655fb1f4ea9025
SHA51291cd3d091ef3b9464b60437a14710dab7f400126c95038643f507925138fe98e18cc156cd79f740e0e9fb7eae30b2f832cbe41ffe183c500e85129095d691944
-
\??\pipe\LOCAL\crashpad_1732_CKXMVLLUEWVIHXARMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/428-196-0x0000000000000000-mapping.dmp
-
memory/1088-175-0x0000000000000000-mapping.dmp
-
memory/1268-173-0x0000000000000000-mapping.dmp
-
memory/1380-167-0x0000000000000000-mapping.dmp
-
memory/1404-181-0x0000000000000000-mapping.dmp
-
memory/1480-190-0x0000000000000000-mapping.dmp
-
memory/1732-159-0x0000000000000000-mapping.dmp
-
memory/1868-158-0x0000000000000000-mapping.dmp
-
memory/2228-169-0x0000000000000000-mapping.dmp
-
memory/3104-164-0x0000000000000000-mapping.dmp
-
memory/3256-140-0x0000000073660000-0x0000000073C11000-memory.dmpFilesize
5.7MB
-
memory/3256-132-0x0000000000000000-mapping.dmp
-
memory/3256-161-0x0000000000E9A000-0x0000000000E9F000-memory.dmpFilesize
20KB
-
memory/3256-155-0x0000000000E9A000-0x0000000000E9F000-memory.dmpFilesize
20KB
-
memory/3256-177-0x0000000000E9A000-0x0000000000E9F000-memory.dmpFilesize
20KB
-
memory/3256-176-0x0000000073660000-0x0000000073C11000-memory.dmpFilesize
5.7MB
-
memory/3256-146-0x0000000073660000-0x0000000073C11000-memory.dmpFilesize
5.7MB
-
memory/3408-184-0x0000000000000000-mapping.dmp
-
memory/3560-156-0x0000000000000000-mapping.dmp
-
memory/3732-171-0x0000000000000000-mapping.dmp
-
memory/3924-194-0x0000000000000000-mapping.dmp
-
memory/4084-183-0x0000000000000000-mapping.dmp
-
memory/4244-179-0x0000000000000000-mapping.dmp
-
memory/4312-188-0x0000000000000000-mapping.dmp
-
memory/4364-157-0x0000000000000000-mapping.dmp
-
memory/4496-182-0x0000000000000000-mapping.dmp
-
memory/4564-192-0x0000000000000000-mapping.dmp
-
memory/4672-186-0x0000000000000000-mapping.dmp
-
memory/4688-152-0x0000000000000000-mapping.dmp
-
memory/4848-160-0x0000000000000000-mapping.dmp
-
memory/4960-198-0x0000000000000000-mapping.dmp
-
memory/4972-163-0x0000000000000000-mapping.dmp