gh0strat | 7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc

Analysis

max time kernel
95s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe
Size

676KB
MD5

22b46a5d1cac7a683b8cb88c44a87a9e
SHA1

6fb16d13688baab44e8832892e8c27bb01a00597
SHA256

7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc
SHA512

eb9f1b55997b806081c9dcbbac08f9f2df79dff5ea5954fbd0e9befdd207aba691d2f234e26de4d2fb3cde22a3e645845773cd7e534275da31619b38da775370
SSDEEP

6144:jPi+8sCE1c5V7IcIuRl4R9cd+z1kWS+rd0B4nKvKi9pH3RwoQisIO0A:zi+Z1w7Icbl4ROdg9i9pXc

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3056-123-0x0000000003A60000-0x0000000003ADB000-memory.dmp	family_gh0strat
behavioral2/memory/3056-137-0x00000000039C0000-0x0000000003A57000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe

Executes dropped EXE 1 IoCs

Processes:

7zip.exe

pid process

3056 7zip.exe

Loads dropped DLL 25 IoCs

Processes:

7zip.exe

pid	process
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7zip.exe

description	ioc	process
File opened (read-only)	\??\Y:	7zip.exe
File opened (read-only)	\??\S:	7zip.exe
File opened (read-only)	\??\T:	7zip.exe
File opened (read-only)	\??\X:	7zip.exe
File opened (read-only)	\??\Z:	7zip.exe
File opened (read-only)	\??\E:	7zip.exe
File opened (read-only)	\??\N:	7zip.exe
File opened (read-only)	\??\W:	7zip.exe
File opened (read-only)	\??\J:	7zip.exe
File opened (read-only)	\??\M:	7zip.exe
File opened (read-only)	\??\P:	7zip.exe
File opened (read-only)	\??\V:	7zip.exe
File opened (read-only)	\??\B:	7zip.exe
File opened (read-only)	\??\G:	7zip.exe
File opened (read-only)	\??\H:	7zip.exe
File opened (read-only)	\??\O:	7zip.exe
File opened (read-only)	\??\Q:	7zip.exe
File opened (read-only)	\??\R:	7zip.exe
File opened (read-only)	\??\U:	7zip.exe
File opened (read-only)	\??\I:	7zip.exe
File opened (read-only)	\??\K:	7zip.exe
File opened (read-only)	\??\L:	7zip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4692	3080	WerFault.exe	7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe
1900	3080	WerFault.exe	7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe7zip.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7zip.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7zip.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7zip.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	7zip.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7zip.exe

pid	process
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe
3056	7zip.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zip.exe

pid process

3056 7zip.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe7zip.exe

pid	process
3080	7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe
3080	7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe
3056	7zip.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe

description	pid	process	target process
PID 3080 wrote to memory of 3056	3080	7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe	7zip.exe
PID 3080 wrote to memory of 3056	3080	7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe	7zip.exe
PID 3080 wrote to memory of 3056	3080	7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe	7zip.exe

C:\Users\Admin\AppData\Local\Temp\7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe
"C:\Users\Admin\AppData\Local\Temp\7c728b157e51e173d45d7dd27afca535cadb55a37d5f0b0a807bdc5c3b870abc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Public\WinZip\7zip.exe
  "C:\Users\Public\WinZip\7zip.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 1288
  2⤵
  - Program crash
  PID:4692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 1288
  2⤵
  - Program crash
  PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3080 -ip 3080
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3080 -ip 3080
1⤵
PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\WinZip\0f40fc17.ppf

Filesize
576KB

MD5
b7ea5545d54b42eee11d88b6a90e8374

SHA1
6c39cb39dce1213695a86c82a49dd327d210a5d3

SHA256
a97e079322f438a579f8640a98b9bddfcfd969a0658353fa6f6d62005a14887b

SHA512
b8288c49c77fff3f96dbb686a61f761ab721e9d6b0715a70691139b4121dcfe84bade0b84c4e1b97133362b537dce1acbf3bbf7bb9979bc5b325a2f8e59c4b8f

Download Submit
C:\Users\Public\WinZip\7zip.dat

Filesize
61B

MD5
f96d832b995c5fc7f4785f8f8eff6cec

SHA1
8bfc1b2a57326a0436ed82b9ee886c0154cf5d77

SHA256
b17da494ef7367b6e8daf70cf5077604568f49869236c5be2b9cb847d47f5e3c

SHA512
2a5a543273731fdae776bbf7da679e3e3d50d442d4fc6123833477aa35cc934067273964c56b69f382f16f3033709c0f2053bd0156dd355931965f708195aa43

Download Submit
C:\Users\Public\WinZip\7zip.exe

Filesize
346KB

MD5
b575cfefd5c7b14f4743ef2ad74b2736

SHA1
f433813501a7b5b96186bb02fe69ca01580627ed

SHA256
a38708da0db2003a1d14ed1e9d45a9ecb30a6294d472692f804ffb0cea70334b

SHA512
ea912b2589142f1a89ef84e503bf65999beb7aa76d2aa50e1e7edc178bf841debed906fc11da555a004fc715f52fa09baf3a3fe4b42c33e5c9cf811eba676e5e

Download Submit
C:\Users\Public\WinZip\Config.ini

Filesize
126B

MD5
7ea5a7331f3f3f67623de27da8ce528d

SHA1
776850c48971a132a9590fc5c9bd8edefa68bd12

SHA256
eab5970b3366d3fb8fd2e03389c320898f5493e41b36d25cf6880be220912e6a

SHA512
6aca23f4d41f5c1bbad5739659a1585e84483c3f7abdc45f400e411574c144577815f58ba68719f6eb9b9ccd3351976978dc4050fde2fa1596f1121e21dd3369

Download Submit
C:\Users\Public\WinZip\DuiLib.dll

Filesize
1.5MB

MD5
a3b393d6604c40c51f9f28533161ab81

SHA1
19480433f1a094f135eff78e4b63c5b47411f333

SHA256
a830e40e43aef4d9d7b7eeb6d94c17cd2cb11be7f3ee8adce2399ec5c0a6049c

SHA512
12c460443ae98c0a57abe98e8d70802367d9fe2a14faf66164a094ffdb10ee6d8a6b41e4c96e58a423218f3653ea56d804ed15614ff6957948025f78389c3313

Download Submit
C:\Users\Public\WinZip\Plugin.dll

Filesize
271KB

MD5
27378e77fed60b91b9eacef55b10d3a2

SHA1
603050de753ae268e09aca9e37b30ac4e647b6b7

SHA256
553920c1b7dbcabcd18e8a17a3f0b3bd91f3fd2a3375a6163c8e85d441cb8a18

SHA512
95be8277a4ceaf29a2c7bbba6f8e06fb894bb883ff457e08851352dd751375f94c551a78204fc30838aa2c4a6741f49e30bfa6f0b6a6f0287c5d77b0e9ed6c6d

Download Submit
C:\Users\Public\WinZip\QKGuide.dll

Filesize
893KB

MD5
057d333133ba16ad86fa644e8b28adf7

SHA1
7542ae74dbcaef4fd60e82937080efa1c2ac954f

SHA256
51d34fdf50a1542a86f2befa3e0f7615832558d29e41cf92c9206b44b67e1350

SHA512
83a61c8da999bdcc3bb47b47d8aeea3fb8605404cda949acb91bb0b7aaba7d1c854f7cf44d8d5ba81d5be5d2c3dfc5babf66f72bf1137c2786b34bd32b853e78

Download Submit
C:\Users\Public\WinZip\QKHook.dll

Filesize
24KB

MD5
32f12897dbfad3149821d503013c6a28

SHA1
52fc6755add14e6f6eb2b2f5a20d8022a32c8225

SHA256
93fcab146f4061b93e6566b1846cfefd05dae52afd763fdd261e6a0543436671

SHA512
c0547fb67c4d80e2d2744179c4b21d1e9b8694f53a6c843adc7e28df48b0e56c95c25b6cfc956f440d856add2bfc339b8178c820c28a09250854b5a57587db59

Download Submit
C:\Users\Public\WinZip\QKParameterMgr.dll

Filesize
35KB

MD5
1390bc15e3d2b403d962c6c6e9e77fee

SHA1
dab2a8a69cb014c682544c94efc2a9219fd603cc

SHA256
ae1cec46aaa7841b0d4e2dd719272821469be8121b32a60609b1bc3bfd5638d3

SHA512
e794d64bd63b8bbacdd59e8ad1b2b23011f07a8de70217082f56b710cadfec4f4579756eb693ceb9a223933366bb4058d26e7c5867d4c4e67988aa4532cbad5a

Download Submit
C:\Users\Public\WinZip\QKPhotoshopMgr.dll

Filesize
551KB

MD5
a1b899fd31bff8b4d87e2edd78006b31

SHA1
199280dabac2c32324c59ec8da76c0126e5710e7

SHA256
09c6a24b0714da6e4bef6ed8070f6986c005cd974c35a4f7a9f406b88ee038b3

SHA512
40d9466ee6ae644c19e9c2f505370ed647379c6d3389a908ad32f24ed0cf6ef95728192a443324fde3a312b1fd31a4eb3ea616881595dac6ee1b4a047b948a17

Download Submit
C:\Users\Public\WinZip\QKPlugin.dll

Filesize
307KB

MD5
216c638d1e32032145687d2e3851394a

SHA1
fdcb1cb31625a8023880a716205b29a1b7f71aa2

SHA256
965fd4c884b66a65c7b6800a43f1c6f9a0b5a5766606301494da227a8a80f35e

SHA512
5b50ad6f3a5aa25de08174df90db067676fb13991b93bcadba2698b0e69c096f46892467b1d6f75227825447b9eedbf40f6415d8804115fa3201a43bd7360bd0

Download Submit
C:\Users\Public\WinZip\QKRecord.dll

Filesize
353KB

MD5
428f062a15575599e0fcbef2374754a8

SHA1
5dacffd79a14ac1b3b0377885460cc1bf1023810

SHA256
0553c54a2082a89b04bfa0a8373185ffcfa202523e98159a5e20012df1ce99b5

SHA512
492d4c4e35b55abc2f0517aa4fc3235bb88b115d7dc2b666f847f2b100d84b011eb9540675b60d3d68da4de6e49bff7253cd5428c991ac7ae521b73e0eacba27

Download Submit
C:\Users\Public\WinZip\QKResource.dll

Filesize
616KB

MD5
e471a8665c05062f45e343b7f89ad319

SHA1
58a98da8295458c073d10622158a6a53a20be534

SHA256
1f75c77513b2554d94c692d6e7a00b674dcec354913159aea7f324062a4fa798

SHA512
f033a1e8044b070a8f2ad4fe97e06f810747988ce5bb269bd6a502b39c24158ce0a150305666b73de74252762371e5d091ed258fc11e94259c78bcaba04dfc46

Download Submit
C:\Users\Public\WinZip\alibabacloud-oss-cpp-sdk.dll

Filesize
1.0MB

MD5
0aaeb781e651be69f6d643a72b15c6cb

SHA1
8be4066c628629ffe77254c2cc452aecc1fee8dc

SHA256
e9359d5c42b6767d63525ae73eb194a88c3e68111cee4ec1a2bdbb8ecf530bb9

SHA512
c6f1af6bb30005f8b89951612961ef8db706d39ace2e674cf54a14445fdfcfe8cf8c5762fe04406b9d87154a919cc47e251eaefd9cbd15e00b2ecf471854e6f5

Download Submit
C:\Users\Public\WinZip\concrt140.dll

Filesize
243KB

MD5
8651e6272e310d5c64d0c91ca975b029

SHA1
0e2433c8771ac420b5684c79e96eb7e206350757

SHA256
b721897db5542d5b0c970ec624440442ed9ae781e55147feb9ff264f70f66cde

SHA512
d99d049b9ae9f7bcf9e6737b26a90f544a08ff49e06fdc39617b869eb97676024e18ba42e680db255a8a04f323de494dd8e7b706007e9b961c78a64cdf078ff6

Download Submit
C:\Users\Public\WinZip\libcurl.dll

Filesize
552KB

MD5
b58a42118168c1c18a26acbc353b2ec0

SHA1
c1a048e3a941972cabf9d91be5b28df189d0a3bd

SHA256
762d69078a248a0c99344ae69b1f84c3f85c332b878869e054be67825423ec0b

SHA512
58339b6c26f5fbda2a12bd84e88b41c4bee407ae53da3b72ca2b2ddddd49f64ea75096feb57d654aa748b7eaa83190b417933c0ac43b5819ef32db46b29db770

Download Submit
C:\Users\Public\WinZip\libeay32.dll

Filesize
1.2MB

MD5
1707bc560de9c69ae7325b6f63c8ec96

SHA1
d15e908a921cd17fbcfe0000b264d52e8fd413e7

SHA256
648a673ec8504f8255de37996a21895279985e011124e8ff2c7249271d5890cb

SHA512
941b3a76d43626d3d8e369437b83e63689eb3f8ecf90737a2d2df8df1c38e19e02146938af12d0fa9850ba3154ad60d74c5e4b80cae4ff6e3bff9d2583538ad5

Download Submit
C:\Users\Public\WinZip\libmysql.dll

Filesize
3.5MB

MD5
fcd72aa6a80b75556057d77b729f17c5

SHA1
8689cd54043136e644c82cb8eae419a5d43289ca

SHA256
6a59443d3a5cf8572e2e80b5987040ddbf2630e14036204a3bf77ce27e02d918

SHA512
e2c7c02ec1b997c3888ce20e8a3ac4c84a4e36a6e1c37aaf1a65983096ba64e60fbe61ca988821a1807872e9bf284cc577938db5957abcb57555321a7e36c7ba

Download Submit
C:\Users\Public\WinZip\mfc140u.dll

Filesize
4.8MB

MD5
06f307b7ddb0994b448b9786cf5811b8

SHA1
4d70c5206e84b23916e4c686f430e5dcdc70dfc3

SHA256
dde3c8e9e7d414913a29979798311d095c1b8869ee405a1c3fcbba14da90446d

SHA512
b26bcfca4569ce9fb4b7196c952ce38b0e3a30aeff2e7ac4b2ea1c695c658c1d92029fb7e31ad231e62de8dff2a86ab3821aa1f9d5c944d88b263d88efeca16a

Download Submit
C:\Users\Public\WinZip\msc.dll

Filesize
1.7MB

MD5
18d35237d397e8396c30356ddb12dd9c

SHA1
8f86896fd6f884f05c48c3034b7b55b7d9e50a5a

SHA256
1c1f3b6df9347b864ac879ef841196b97ed02f5be941fd490817831889b97b84

SHA512
e2e1e1fdb6e161b28e90236edd0b35d3b91f507161b50615caaaa8f9484946c72ea35298838e1b538e4d2801aff9cece97b89447e78a3dc2ae4fdc962a26c5c3

Download Submit
C:\Users\Public\WinZip\msvcp140.dll

Filesize
438KB

MD5
1fb93933fd087215a3c7b0800e6bb703

SHA1
a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb

SHA256
2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01

SHA512
79cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e

Download Submit
C:\Users\Public\WinZip\opencv_core2413.dll

Filesize
1.9MB

MD5
b83a304b66f3c9799cae2be75bec361b

SHA1
d7ccc4067af699e62f9a7f9001589d3d8c7f4ac6

SHA256
b0f02252f1cee1826f3b193e682344a8d9785e424e8009b60a7700e5c88271c8

SHA512
dfa3dfa9faf6a85af25fa4f12726ec27075053112e9455461e435ff424bff0635bd624c39c2e15f962b4aab3a6374b23024e7d805e0e8f2d54df1f92e7edd6f2

Download Submit
C:\Users\Public\WinZip\opencv_highgui2413.dll

Filesize
1.9MB

MD5
f6a0b1bf98161f7231039f6ffceee155

SHA1
7f888d40d50ae85490e2126c9f9a14ce78d4c7d0

SHA256
1ad5b3f2447a6d48e3ade61cbdc4abb0f18f3dbc8b7dcd3b050d60c68197d0df

SHA512
69ea3f74d40a5aecedb5ea120e01a5cd348af9542f16124973b028a3e2965d3d63a804d0bab1bdd4b548e55f8bb21365605b241891993177cfc08608d895764b

Download Submit
C:\Users\Public\WinZip\opencv_imgproc2413.dll

Filesize
1.6MB

MD5
27e2d298d6905a73ea98b7a2c4c889c5

SHA1
600eb3e14e20f91c7e9788bf3cde864f9e1bc17c

SHA256
f67e68461b7fa1bdf83b00020affc17c203e5d5fb6d051c00d2654e181115f8f

SHA512
751cceddd052cb3a540b842ed9a69f0842f3c1a5d503555ba990838550b0e784dafc577e0070383af7cfe36bf51a4944b9a9fadfbcfdbcc92ba6deb52ff30f95

Download Submit
C:\Users\Public\WinZip\task.dat

Filesize
78B

MD5
c4ef32b92dbd4746b42a33eb764bb68e

SHA1
d556feb32edd451deae4560a2bc4f36972eac9b0

SHA256
45b110922a62c74d80f1ca1ab2e2b41ab369f6f95f7886dec9b963fcb7ae724e

SHA512
5589dff36e9e46ca2a46f47a37db5c5a793ab5e521cde8db1e038b9f64d311f3df41545977d0a46f6951b526d9254a53f062fd81511f432523fc1c521a6a5d58

Download Submit
C:\Users\Public\WinZip\vcruntime140.dll

Filesize
78KB

MD5
1b171f9a428c44acf85f89989007c328

SHA1
6f25a874d6cbf8158cb7c491dcedaa81ceaebbae

SHA256
9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c

SHA512
99a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1

Download Submit
memory/3056-123-0x0000000003A60000-0x0000000003ADB000-memory.dmp

Filesize
492KB

Download
memory/3056-121-0x00000000039C0000-0x0000000003A57000-memory.dmp

Filesize
604KB

Download
memory/3056-115-0x00000000017E0000-0x000000000190D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-137-0x00000000039C0000-0x0000000003A57000-memory.dmp

Filesize
604KB

Download