Overview

overview

8

Static

static

Ziproar.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    111s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 21:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ziproar.exe

  • Size

    1.2MB

  • MD5

    2ec2320d4eed30db02d36b9dacfb44e9

  • SHA1

    018d7d4a124aa6e8a17586d4610608bc4e84533c

  • SHA256

    5bcd2e971509198523001843ba1f8d7e5cd1aebcf2e347acc58a21fbb8307aee

  • SHA512

    8a834cee216dfba2635cd0b9e0c5a9cadcfd100e7427651416c8fb65bdeb01c23a63fe3abb4306bebeee7f54327de9aa4da85418761b710d6d549919dd23c10d

  • SSDEEP

    24576:cLlgAi31nyHQLAgcDyOTG64fvVxSWsdezc0SEI:cy3nyHQLAgcRV4fHfhkEI

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ziproar.exe
    "C:\Users\Admin\AppData\Local\Temp\Ziproar.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Local\ZipRoar\ZipRoar.exe
      "C:\Users\Admin\AppData\Local\ZipRoar\ZipRoar.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3256
      • C:\Users\Admin\AppData\Local\ZipRoar\ZR.exe
        "C:\Users\Admin\AppData\Local\ZipRoar\ZR.exe" 60480 0
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im msedge.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3560
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im msedge.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4364
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c start msedge
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1868
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
            5⤵
            • Adds Run key to start application
            • Enumerates system info in registry
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1732
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82e3546f8,0x7ff82e354708,0x7ff82e354718
              6⤵
                PID:4848
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
                6⤵
                  PID:4972
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3104
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
                  6⤵
                    PID:1380
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
                    6⤵
                      PID:2228
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1
                      6⤵
                        PID:3732
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
                        6⤵
                          PID:1268
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5528 /prefetch:8
                          6⤵
                            PID:1088
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5192 /prefetch:8
                            6⤵
                              PID:4244
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
                              6⤵
                                PID:1404
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4260 /prefetch:8
                                6⤵
                                  PID:4556
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                                  6⤵
                                  • Drops file in Program Files directory
                                  PID:4496
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff69b215460,0x7ff69b215470,0x7ff69b215480
                                    7⤵
                                      PID:4084
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4260 /prefetch:8
                                    6⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3408
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
                                    6⤵
                                      PID:4672
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
                                      6⤵
                                        PID:4312
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5684 /prefetch:8
                                        6⤵
                                          PID:1480
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
                                          6⤵
                                            PID:4564
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
                                            6⤵
                                              PID:3924
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
                                              6⤵
                                                PID:428
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,10335181846243183917,8970506632587587562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5840 /prefetch:8
                                                6⤵
                                                  PID:4960
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1116
                                              4⤵
                                              • Program crash
                                              PID:4308
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:3840
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4688 -ip 4688
                                          1⤵
                                            PID:3612
                                          • C:\Windows\system32\AUDIODG.EXE
                                            C:\Windows\system32\AUDIODG.EXE 0x4e8 0x494
                                            1⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2168

                                          Network

                                          MITRE ATT&CK Matrix ATT&CK v6

                                          Initial Access

                                          Execution

                                          Persistence

                                          Registry Run Keys / Startup Folder

                                          1
                                          T1060

                                          Privilege Escalation

                                          Defense Evasion

                                          Modify Registry

                                          2
                                          T1112

                                          Install Root Certificate

                                          1
                                          T1130

                                          Credential Access

                                          Discovery

                                          Query Registry

                                          3
                                          T1012

                                          System Information Discovery

                                          3
                                          T1082

                                          Lateral Movement

                                          Collection

                                          Exfiltration

                                          Command and Control

                                          Impact

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\ZipRoar\Configuration.dll
                                            Filesize

                                            57KB

                                            MD5

                                            3b8a0187e673363ac8922d1dcd31f849

                                            SHA1

                                            dbcbd5e4d43ff717bd36ffb8e63dab84d9cf23c9

                                            SHA256

                                            24c1f6fc25b287045833fe3d313c71d70a92fd442ae3818c776bd5a8f86e0833

                                            SHA512

                                            44fd03cff504ff9edfe7d292906341e6d2bfbda23904634dacfa083bc9e05ab160bd8fe325f583f1a6dd291c153610834560e0520fa664634d84bc7f58080668

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Configuration.dll
                                            Filesize

                                            57KB

                                            MD5

                                            3b8a0187e673363ac8922d1dcd31f849

                                            SHA1

                                            dbcbd5e4d43ff717bd36ffb8e63dab84d9cf23c9

                                            SHA256

                                            24c1f6fc25b287045833fe3d313c71d70a92fd442ae3818c776bd5a8f86e0833

                                            SHA512

                                            44fd03cff504ff9edfe7d292906341e6d2bfbda23904634dacfa083bc9e05ab160bd8fe325f583f1a6dd291c153610834560e0520fa664634d84bc7f58080668

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Configuration.dll
                                            Filesize

                                            57KB

                                            MD5

                                            3b8a0187e673363ac8922d1dcd31f849

                                            SHA1

                                            dbcbd5e4d43ff717bd36ffb8e63dab84d9cf23c9

                                            SHA256

                                            24c1f6fc25b287045833fe3d313c71d70a92fd442ae3818c776bd5a8f86e0833

                                            SHA512

                                            44fd03cff504ff9edfe7d292906341e6d2bfbda23904634dacfa083bc9e05ab160bd8fe325f583f1a6dd291c153610834560e0520fa664634d84bc7f58080668

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Configuration.dll
                                            Filesize

                                            57KB

                                            MD5

                                            3b8a0187e673363ac8922d1dcd31f849

                                            SHA1

                                            dbcbd5e4d43ff717bd36ffb8e63dab84d9cf23c9

                                            SHA256

                                            24c1f6fc25b287045833fe3d313c71d70a92fd442ae3818c776bd5a8f86e0833

                                            SHA512

                                            44fd03cff504ff9edfe7d292906341e6d2bfbda23904634dacfa083bc9e05ab160bd8fe325f583f1a6dd291c153610834560e0520fa664634d84bc7f58080668

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Configuration.dll
                                            Filesize

                                            57KB

                                            MD5

                                            3b8a0187e673363ac8922d1dcd31f849

                                            SHA1

                                            dbcbd5e4d43ff717bd36ffb8e63dab84d9cf23c9

                                            SHA256

                                            24c1f6fc25b287045833fe3d313c71d70a92fd442ae3818c776bd5a8f86e0833

                                            SHA512

                                            44fd03cff504ff9edfe7d292906341e6d2bfbda23904634dacfa083bc9e05ab160bd8fe325f583f1a6dd291c153610834560e0520fa664634d84bc7f58080668

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Interop.IWshRuntimeLibrary.dll
                                            Filesize

                                            48KB

                                            MD5

                                            d5f9fc1dab643687d971de1f8e5f6a27

                                            SHA1

                                            4ad25e71ba405893391afbb7852b5b32b1add413

                                            SHA256

                                            aedd7030adee4845e05210611bcb81cbfb614793398f50587ff1d99a9f5dfb9e

                                            SHA512

                                            893bf28a730dad7717b1eeee7f1398d02f9f9fd438ce1daf43b3e91c9bcf31d4538c256c9595596fdfb954b0576b2e3f2da7fafa5130ddbe0cfad75536edea87

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Interop.IWshRuntimeLibrary.dll
                                            Filesize

                                            48KB

                                            MD5

                                            d5f9fc1dab643687d971de1f8e5f6a27

                                            SHA1

                                            4ad25e71ba405893391afbb7852b5b32b1add413

                                            SHA256

                                            aedd7030adee4845e05210611bcb81cbfb614793398f50587ff1d99a9f5dfb9e

                                            SHA512

                                            893bf28a730dad7717b1eeee7f1398d02f9f9fd438ce1daf43b3e91c9bcf31d4538c256c9595596fdfb954b0576b2e3f2da7fafa5130ddbe0cfad75536edea87

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Interop.IWshRuntimeLibrary.dll
                                            Filesize

                                            48KB

                                            MD5

                                            d5f9fc1dab643687d971de1f8e5f6a27

                                            SHA1

                                            4ad25e71ba405893391afbb7852b5b32b1add413

                                            SHA256

                                            aedd7030adee4845e05210611bcb81cbfb614793398f50587ff1d99a9f5dfb9e

                                            SHA512

                                            893bf28a730dad7717b1eeee7f1398d02f9f9fd438ce1daf43b3e91c9bcf31d4538c256c9595596fdfb954b0576b2e3f2da7fafa5130ddbe0cfad75536edea87

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Interop.IWshRuntimeLibrary.dll
                                            Filesize

                                            48KB

                                            MD5

                                            d5f9fc1dab643687d971de1f8e5f6a27

                                            SHA1

                                            4ad25e71ba405893391afbb7852b5b32b1add413

                                            SHA256

                                            aedd7030adee4845e05210611bcb81cbfb614793398f50587ff1d99a9f5dfb9e

                                            SHA512

                                            893bf28a730dad7717b1eeee7f1398d02f9f9fd438ce1daf43b3e91c9bcf31d4538c256c9595596fdfb954b0576b2e3f2da7fafa5130ddbe0cfad75536edea87

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Interop.IWshRuntimeLibrary.dll
                                            Filesize

                                            48KB

                                            MD5

                                            d5f9fc1dab643687d971de1f8e5f6a27

                                            SHA1

                                            4ad25e71ba405893391afbb7852b5b32b1add413

                                            SHA256

                                            aedd7030adee4845e05210611bcb81cbfb614793398f50587ff1d99a9f5dfb9e

                                            SHA512

                                            893bf28a730dad7717b1eeee7f1398d02f9f9fd438ce1daf43b3e91c9bcf31d4538c256c9595596fdfb954b0576b2e3f2da7fafa5130ddbe0cfad75536edea87

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Newtonsoft.Json.dll
                                            Filesize

                                            495KB

                                            MD5

                                            283544d7f0173e6b5bfbfbc23d1c2fb0

                                            SHA1

                                            3e33b2ef50dac60b7411a84779d61bdb0ed9d673

                                            SHA256

                                            9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

                                            SHA512

                                            150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Newtonsoft.Json.dll
                                            Filesize

                                            495KB

                                            MD5

                                            283544d7f0173e6b5bfbfbc23d1c2fb0

                                            SHA1

                                            3e33b2ef50dac60b7411a84779d61bdb0ed9d673

                                            SHA256

                                            9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

                                            SHA512

                                            150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Newtonsoft.Json.dll
                                            Filesize

                                            495KB

                                            MD5

                                            283544d7f0173e6b5bfbfbc23d1c2fb0

                                            SHA1

                                            3e33b2ef50dac60b7411a84779d61bdb0ed9d673

                                            SHA256

                                            9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

                                            SHA512

                                            150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Newtonsoft.Json.dll
                                            Filesize

                                            495KB

                                            MD5

                                            283544d7f0173e6b5bfbfbc23d1c2fb0

                                            SHA1

                                            3e33b2ef50dac60b7411a84779d61bdb0ed9d673

                                            SHA256

                                            9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

                                            SHA512

                                            150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\Newtonsoft.Json.dll
                                            Filesize

                                            495KB

                                            MD5

                                            283544d7f0173e6b5bfbfbc23d1c2fb0

                                            SHA1

                                            3e33b2ef50dac60b7411a84779d61bdb0ed9d673

                                            SHA256

                                            9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

                                            SHA512

                                            150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\ZR.exe
                                            Filesize

                                            662KB

                                            MD5

                                            9f1911283eced232b7d6844ad210866d

                                            SHA1

                                            5e9fe88b90765d4aeef0c164a6fe6ac4a8f16365

                                            SHA256

                                            2494d98172f7397841031d87e95bfa535221c7e9f383836e566e794029f695f8

                                            SHA512

                                            1e72976f192dd0a7a6631f1b9c6553dbcaafc35e386047d3c73348b529bbc927b5c2a7e2fa9512f6c4530dd0f89403b638ef0fdc444c1baedd722bd7b385d465

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\ZR.exe
                                            Filesize

                                            662KB

                                            MD5

                                            9f1911283eced232b7d6844ad210866d

                                            SHA1

                                            5e9fe88b90765d4aeef0c164a6fe6ac4a8f16365

                                            SHA256

                                            2494d98172f7397841031d87e95bfa535221c7e9f383836e566e794029f695f8

                                            SHA512

                                            1e72976f192dd0a7a6631f1b9c6553dbcaafc35e386047d3c73348b529bbc927b5c2a7e2fa9512f6c4530dd0f89403b638ef0fdc444c1baedd722bd7b385d465

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\ZipRoar.exe
                                            Filesize

                                            401KB

                                            MD5

                                            36a981f83e01fc2fd6989ae2dd6282f3

                                            SHA1

                                            ecab92460b72e5c51b5e7754ba232d0eed79f646

                                            SHA256

                                            fac0076d6ee5943ba2c8d85afff03909bc32ac5da8d2da0adc655fb1f4ea9025

                                            SHA512

                                            91cd3d091ef3b9464b60437a14710dab7f400126c95038643f507925138fe98e18cc156cd79f740e0e9fb7eae30b2f832cbe41ffe183c500e85129095d691944

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\ZipRoar\ZipRoar.exe
                                            Filesize

                                            401KB

                                            MD5

                                            36a981f83e01fc2fd6989ae2dd6282f3

                                            SHA1

                                            ecab92460b72e5c51b5e7754ba232d0eed79f646

                                            SHA256

                                            fac0076d6ee5943ba2c8d85afff03909bc32ac5da8d2da0adc655fb1f4ea9025

                                            SHA512

                                            91cd3d091ef3b9464b60437a14710dab7f400126c95038643f507925138fe98e18cc156cd79f740e0e9fb7eae30b2f832cbe41ffe183c500e85129095d691944

                                            Download Submit
                                          • \??\pipe\LOCAL\crashpad_1732_CKXMVLLUEWVIHXAR
                                            MD5

                                            d41d8cd98f00b204e9800998ecf8427e

                                            SHA1

                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                            SHA256

                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                            SHA512

                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                            Download Submit
                                          • memory/428-196-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/1088-175-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/1268-173-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/1380-167-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/1404-181-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/1480-190-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/1732-159-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/1868-158-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/2228-169-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3104-164-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3256-140-0x0000000073660000-0x0000000073C11000-memory.dmp
                                            Filesize

                                            5.7MB

                                            Download
                                          • memory/3256-132-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3256-161-0x0000000000E9A000-0x0000000000E9F000-memory.dmp
                                            Filesize

                                            20KB

                                            Download
                                          • memory/3256-155-0x0000000000E9A000-0x0000000000E9F000-memory.dmp
                                            Filesize

                                            20KB

                                            Download
                                          • memory/3256-177-0x0000000000E9A000-0x0000000000E9F000-memory.dmp
                                            Filesize

                                            20KB

                                            Download
                                          • memory/3256-176-0x0000000073660000-0x0000000073C11000-memory.dmp
                                            Filesize

                                            5.7MB

                                            Download
                                          • memory/3256-146-0x0000000073660000-0x0000000073C11000-memory.dmp
                                            Filesize

                                            5.7MB

                                            Download
                                          • memory/3408-184-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3560-156-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3732-171-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3924-194-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4084-183-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4244-179-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4312-188-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4364-157-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4496-182-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4564-192-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4672-186-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4688-152-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4848-160-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4960-198-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4972-163-0x0000000000000000-mapping.dmp
                                            Download