nanocore | df148cda088c6063ca4e903fa59e453f371b721e4d058b47605a800630e2988e

Analysis

max time kernel
658s
max time network
663s
platform
windows10_x64
resource
win10v20210408
submitted
11-10-2021 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wextract.exe
Size

20.1MB
MD5

656bb45286bc93310190d6caa88f2eae
SHA1

b0ccc9e3fa93502e2ab59dc4cdb0b5cc548343ae
SHA256

df148cda088c6063ca4e903fa59e453f371b721e4d058b47605a800630e2988e
SHA512

cb6d49aca40b8b0b6f6e5114036c38c119ca4b13a9f6842c9255a6fc24c7a5d73faf7fe4980f438ced9396ed7721208702450c776fccae4cf1a579ed9b69c2c1

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

8888.tshacks.online:8888

Mutex

26bfcaea-dd1b-4a7f-9639-a7cb51f083fe

Attributes

activate_away_mode
true
backup_connection_host
8888.tshacks.online
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-01-22T13:16:46.778489036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8888
default_group
8888
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
26bfcaea-dd1b-4a7f-9639-a7cb51f083fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
8888.tshacks.online
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 4 IoCs

Processes:

1SWEFF~1.EXE2ghytrd.exesvchost.exemvchost.exe

pid process

1192 1SWEFF~1.EXE
2144 2ghytrd.exe
2320 svchost.exe
3736 mvchost.exe
Loads dropped DLL 5 IoCs

Processes:

mvchost.exe

pid process

3736 mvchost.exe
3736 mvchost.exe
3736 mvchost.exe
3736 mvchost.exe
3736 mvchost.exe

pid	process
3736	mvchost.exe
3736	mvchost.exe
3736	mvchost.exe
3736	mvchost.exe
3736	mvchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Wextract.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Wextract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Wextract.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1SWEFF~1.EXEsvchost.exe

description	pid	process	target process
PID 1192 set thread context of 2916	1192	1SWEFF~1.EXE	RegAsm.exe
PID 2320 set thread context of 1356	2320	svchost.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1628 schtasks.exe
3624 schtasks.exe

pid	process
1628	schtasks.exe
3624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1SWEFF~1.EXERegAsm.exesvchost.exeRegAsm.exe

pid	process
1192	1SWEFF~1.EXE
1192	1SWEFF~1.EXE
2916	RegAsm.exe
2916	RegAsm.exe
2916	RegAsm.exe
2320	svchost.exe
2320	svchost.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2916 RegAsm.exe

pid	process
2916	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1SWEFF~1.EXERegAsm.exesvchost.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1192	1SWEFF~1.EXE
Token: SeDebugPrivilege	2916	RegAsm.exe
Token: SeDebugPrivilege	2320	svchost.exe
Token: SeDebugPrivilege	1356	RegAsm.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

Wextract.exe1SWEFF~1.EXE2ghytrd.exesvchost.exeRegAsm.exe

description	pid	process	target process
PID 3108 wrote to memory of 1192	3108	Wextract.exe	1SWEFF~1.EXE
PID 3108 wrote to memory of 1192	3108	Wextract.exe	1SWEFF~1.EXE
PID 3108 wrote to memory of 1192	3108	Wextract.exe	1SWEFF~1.EXE
PID 1192 wrote to memory of 1628	1192	1SWEFF~1.EXE	schtasks.exe
PID 1192 wrote to memory of 1628	1192	1SWEFF~1.EXE	schtasks.exe
PID 1192 wrote to memory of 1628	1192	1SWEFF~1.EXE	schtasks.exe
PID 1192 wrote to memory of 2916	1192	1SWEFF~1.EXE	RegAsm.exe
PID 1192 wrote to memory of 2916	1192	1SWEFF~1.EXE	RegAsm.exe
PID 1192 wrote to memory of 2916	1192	1SWEFF~1.EXE	RegAsm.exe
PID 1192 wrote to memory of 2916	1192	1SWEFF~1.EXE	RegAsm.exe
PID 1192 wrote to memory of 2916	1192	1SWEFF~1.EXE	RegAsm.exe
PID 1192 wrote to memory of 2916	1192	1SWEFF~1.EXE	RegAsm.exe
PID 1192 wrote to memory of 2916	1192	1SWEFF~1.EXE	RegAsm.exe
PID 1192 wrote to memory of 2916	1192	1SWEFF~1.EXE	RegAsm.exe
PID 3108 wrote to memory of 2144	3108	Wextract.exe	2ghytrd.exe
PID 3108 wrote to memory of 2144	3108	Wextract.exe	2ghytrd.exe
PID 3108 wrote to memory of 2144	3108	Wextract.exe	2ghytrd.exe
PID 2144 wrote to memory of 2320	2144	2ghytrd.exe	svchost.exe
PID 2144 wrote to memory of 2320	2144	2ghytrd.exe	svchost.exe
PID 2144 wrote to memory of 2320	2144	2ghytrd.exe	svchost.exe
PID 2320 wrote to memory of 3624	2320	svchost.exe	schtasks.exe
PID 2320 wrote to memory of 3624	2320	svchost.exe	schtasks.exe
PID 2320 wrote to memory of 3624	2320	svchost.exe	schtasks.exe
PID 2320 wrote to memory of 1356	2320	svchost.exe	RegAsm.exe
PID 2320 wrote to memory of 1356	2320	svchost.exe	RegAsm.exe
PID 2320 wrote to memory of 1356	2320	svchost.exe	RegAsm.exe
PID 2320 wrote to memory of 1356	2320	svchost.exe	RegAsm.exe
PID 2320 wrote to memory of 1356	2320	svchost.exe	RegAsm.exe
PID 2320 wrote to memory of 1356	2320	svchost.exe	RegAsm.exe
PID 2320 wrote to memory of 1356	2320	svchost.exe	RegAsm.exe
PID 2320 wrote to memory of 1356	2320	svchost.exe	RegAsm.exe
PID 2320 wrote to memory of 1356	2320	svchost.exe	RegAsm.exe
PID 1356 wrote to memory of 3736	1356	RegAsm.exe	mvchost.exe
PID 1356 wrote to memory of 3736	1356	RegAsm.exe	mvchost.exe

C:\Users\Admin\AppData\Local\Temp\Wextract.exe
"C:\Users\Admin\AppData\Local\Temp\Wextract.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SWEFF~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SWEFF~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JtzOINnl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA42.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ghytrd.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ghytrd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Roaming\x\svchost.exe
    "C:\Users\Admin\AppData\Roaming\x\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbQaSpIvTR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE58E.tmp"
      4⤵
      Creates scheduled task(s)
      PID:3624
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Users\Admin\AppData\Roaming\x\mvchost.exe
        
        "C:\Users\Admin\AppData\Roaming\x\mvchost.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SWEFF~1.EXE

MD5
1bba1be996194b3823094dcab00096fe

SHA1
82d73ff7b9338beda776be372d09226c31f5e18f

SHA256
0fe49c941e5cf3f94f1eb75846856deffbf9525873bf99ec9c8c01409ab31841

SHA512
2f991618d4e5ef9b414015e636eb6efc332b0c4734983da1db775c259f6d2781dcaad7433594404edadb81d5637e997592816400608f486fb082178628b8f918

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SWEFF~1.EXE

MD5
1bba1be996194b3823094dcab00096fe

SHA1
82d73ff7b9338beda776be372d09226c31f5e18f

SHA256
0fe49c941e5cf3f94f1eb75846856deffbf9525873bf99ec9c8c01409ab31841

SHA512
2f991618d4e5ef9b414015e636eb6efc332b0c4734983da1db775c259f6d2781dcaad7433594404edadb81d5637e997592816400608f486fb082178628b8f918

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ghytrd.exe

MD5
953b5efb206db8822c3ed784267a7aeb

SHA1
7d050466ba4159f2a5777ea7292ea69c9b50b97d

SHA256
dc8e99f10ddff606cb076d02ba77d2ed332a48a4a6720d71823004be99a90426

SHA512
0a05a0f71cae8f5c4459ddcda28acd6c18ee83a322cbbe069190fafbd0a9458ba137ac949a3a6ab2891116fc003f04f5d1143d170006efa597e6be5b5a181f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ghytrd.exe

MD5
953b5efb206db8822c3ed784267a7aeb

SHA1
7d050466ba4159f2a5777ea7292ea69c9b50b97d

SHA256
dc8e99f10ddff606cb076d02ba77d2ed332a48a4a6720d71823004be99a90426

SHA512
0a05a0f71cae8f5c4459ddcda28acd6c18ee83a322cbbe069190fafbd0a9458ba137ac949a3a6ab2891116fc003f04f5d1143d170006efa597e6be5b5a181f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA42.tmp

MD5
edd71b14b5b5ff886b474b923f9ba1b9

SHA1
9922593e6da0a3a82e8a7b602cc43ca9b31e85fb

SHA256
88442243da04d4b454fbe36f65b86507fa4643109e996905dd51ce774508ae99

SHA512
e099bba7bfb23ce8646502790e638ae5fd64e0c54b93679aba350d175589e49581b18967bb31a7dc739da0776df7645463227afaa683ec774cb64b383b4a82bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE58E.tmp

MD5
4df2b1c868f51795dde43a96f5db4de9

SHA1
9aec050468e0b5f3ecb4adc98c455405d5bc8fd2

SHA256
6e643ac0619722ec9640719c361438cdc1f02e95506664c776304b2598662a57

SHA512
02e9c814580613abaf493bcbe43ca2ccb655b19afb691c8c61bbd7ee7f32c988dfde183f0ce34c3369f0dca851870dd4cda63a2613580c3c32ddd0a0f750428e

Download Submit
C:\Users\Admin\AppData\Roaming\x\config.txt

MD5
b8fed6e69c5cf66eb4717d8b833ed454

SHA1
2df0cefe98ee2a1a7f2449a2350d7eabdc956be6

SHA256
d82f70d95e1d0e82ea23a7ba3cb2b4f8542f03ce060e90fa5134fead40662494

SHA512
2b90633bb943c3e7d2af133eb6797e7190a8377e899bc239a3c7a0b3138860481be3e19eeb5fd3045544f6941c7299fefea7d24c59bed6c80ea745f3c796de4c

Download Submit
C:\Users\Admin\AppData\Roaming\x\cpu.txt

MD5
44fbbf318f23269a80454ae8e4d99e4c

SHA1
3c4d91cc40a4bec3f3b08265a93c5324b1abce65

SHA256
588ec37025b4479ea260e50674330ee949a4f69975640834c980876dcb8f082d

SHA512
3ee75865093bfad3344891e36a0f9aaf73df4ad4987e3ba73c4248261a749f196badfdcfbb0fb6fc99a053b5ab4e0aed10c8d450fa209553af4249732b567107

Download Submit
C:\Users\Admin\AppData\Roaming\x\libcrypto-1_1-x64.dll

MD5
3eb6a86289a57f8a29c21d3a7081fe02

SHA1
3096af7efaf79446f5b128c794799b49b943d14a

SHA256
446ad3252ed74cf4fcc115022ad638e37b6ca10da1b92e3fff40070ff3b71c85

SHA512
69b45a119ead375527dbe76ffdac3ad434469eb55a647bdd0474ca0dbbd0bfa24637a8bae95fec423455fa1b620c48f4095fbf36010e7d6b60726c60c47d1050

Download Submit
C:\Users\Admin\AppData\Roaming\x\libssl-1_1-x64.dll

MD5
23347145ece39cc8cc4ac24a360c3a31

SHA1
7decda6184264127555b12e9e390c3e213160990

SHA256
280e479407bda60d081703b3a5bb3eca9945d329e02afa7ab94a183884974785

SHA512
0a538a35e9854b9e88fe132c1cdbb7d1db57ad2c7243bdfb9ea3c6e467f4bb2696ea87bcd9b0762eb6e154bf81fc06d9dac1f7200f030368b09460dbbdeaba88

Download Submit
C:\Users\Admin\AppData\Roaming\x\mvchost.exe

MD5
0445841c84b1b366ab9d747c88bafe93

SHA1
ea107d6009e28d9726b9121082710fd9a216fb00

SHA256
72b8cd3facd4b6b0783727cae5249f27143b4ca466c790ce0f22a61e72cf2009

SHA512
f065489975b83e06db24414689be0578bef35a32b8927d527ee7c4ffef396750387f19e20867cd8e320cf58d17a121e6848a20bc843833ebe61ea9516bdf40ed

Download Submit
C:\Users\Admin\AppData\Roaming\x\mvchost.exe

MD5
0445841c84b1b366ab9d747c88bafe93

SHA1
ea107d6009e28d9726b9121082710fd9a216fb00

SHA256
72b8cd3facd4b6b0783727cae5249f27143b4ca466c790ce0f22a61e72cf2009

SHA512
f065489975b83e06db24414689be0578bef35a32b8927d527ee7c4ffef396750387f19e20867cd8e320cf58d17a121e6848a20bc843833ebe61ea9516bdf40ed

Download Submit
C:\Users\Admin\AppData\Roaming\x\pools.txt

MD5
4807dcd6aff9a9060383a0abebab4c2a

SHA1
15ea751223017338f57836f38ab3b5fbd5ddb137

SHA256
09d0339b00cd46562fb30ffe025b534e05eff3b3e33656646cbb98ae157804ec

SHA512
8271cba11d7c0eca4854b357c888ea32ed5c8614ba51b7e8e5b9db2b057b044d710c7cba081123f80d0b4d9a799e2c87d9d7916477151dc562d0770c9693aa73

Download Submit
C:\Users\Admin\AppData\Roaming\x\svchost.exe

MD5
3d86e9f4a3393766a1d9992214c75237

SHA1
b1e5efda6bb22efbdb134927840e82ef95b86bc0

SHA256
370602bf6ac509c80e858d0d08b1c42a8bce9618d4aed33f615890fd3f48d76d

SHA512
54789e5b5fa60928c602351f8b167778646f06c442c2cf688fccbac7f26da7c574a40a5d4c9c1f2f4c52bd4f85002a67c392f8426c7019bf5b97450f042b4c17

Download Submit
C:\Users\Admin\AppData\Roaming\x\svchost.exe

MD5
3d86e9f4a3393766a1d9992214c75237

SHA1
b1e5efda6bb22efbdb134927840e82ef95b86bc0

SHA256
370602bf6ac509c80e858d0d08b1c42a8bce9618d4aed33f615890fd3f48d76d

SHA512
54789e5b5fa60928c602351f8b167778646f06c442c2cf688fccbac7f26da7c574a40a5d4c9c1f2f4c52bd4f85002a67c392f8426c7019bf5b97450f042b4c17

Download Submit
C:\Users\Admin\AppData\Roaming\x\xmrstak_cuda_backend.dll

MD5
b7b707e84c2c54c43fe76bd74f1e0c41

SHA1
248e300c9394e91d0015e7968df58c8dce0847e6

SHA256
d3f1531e2bf45ab2ba76a6bc3a3609be78477dc49a735a3c867187e4ea92ffc6

SHA512
e96927184da61a223ac5bec6b49dafc81a8fdc6a23bbb5ee3e579de6d4e3c866d8aabeece96dcb04c803535fd23158ed948de27b7669400209b7711399a00ace

Download Submit
C:\Users\Admin\AppData\Roaming\x\xmrstak_cuda_backend_cuda10_0.dll

MD5
a12d4f7b5b6e690a7fcf1e7a73623a1c

SHA1
3b06a1e3b28da3750b384cb2a82fdfc2c3f471d0

SHA256
fd652f33a54de21f695f45bbd90503333c6a7ee98e8dafb475cdf0318807619d

SHA512
32909ecd51a78102b4d263d3d9867e9ed07a48130df43a2d972f64ffe13037dcfc1d429ac19dfcccde2e38051f6c56a9e3739887e9299f0e5482a4c36658f8ce

Download Submit
C:\Users\Admin\AppData\Roaming\x\xmrstak_opencl_backend.dll

MD5
54643d88817dc25d665c7ac80ab1eb27

SHA1
f250764aa88eba662f898327535bd0d257917170

SHA256
b026053158363ead613db350bd93a68910765621a2ef00e8025a6e8ad09a2c21

SHA512
fbe72170036ac99e21c486eb7be774b58a5f15da7f317376ff7d4938249b6bd74080daf8dad0cf21ec25df67d5b8e3007fb785455d99ab3320c6a16774238b38

Download Submit
\Users\Admin\AppData\Roaming\x\libcrypto-1_1-x64.dll

MD5
3eb6a86289a57f8a29c21d3a7081fe02

SHA1
3096af7efaf79446f5b128c794799b49b943d14a

SHA256
446ad3252ed74cf4fcc115022ad638e37b6ca10da1b92e3fff40070ff3b71c85

SHA512
69b45a119ead375527dbe76ffdac3ad434469eb55a647bdd0474ca0dbbd0bfa24637a8bae95fec423455fa1b620c48f4095fbf36010e7d6b60726c60c47d1050

Download Submit
\Users\Admin\AppData\Roaming\x\libssl-1_1-x64.dll

MD5
23347145ece39cc8cc4ac24a360c3a31

SHA1
7decda6184264127555b12e9e390c3e213160990

SHA256
280e479407bda60d081703b3a5bb3eca9945d329e02afa7ab94a183884974785

SHA512
0a538a35e9854b9e88fe132c1cdbb7d1db57ad2c7243bdfb9ea3c6e467f4bb2696ea87bcd9b0762eb6e154bf81fc06d9dac1f7200f030368b09460dbbdeaba88

Download Submit
\Users\Admin\AppData\Roaming\x\xmrstak_cuda_backend.dll

MD5
b7b707e84c2c54c43fe76bd74f1e0c41

SHA1
248e300c9394e91d0015e7968df58c8dce0847e6

SHA256
d3f1531e2bf45ab2ba76a6bc3a3609be78477dc49a735a3c867187e4ea92ffc6

SHA512
e96927184da61a223ac5bec6b49dafc81a8fdc6a23bbb5ee3e579de6d4e3c866d8aabeece96dcb04c803535fd23158ed948de27b7669400209b7711399a00ace

Download Submit
\Users\Admin\AppData\Roaming\x\xmrstak_cuda_backend_cuda10_0.dll

MD5
a12d4f7b5b6e690a7fcf1e7a73623a1c

SHA1
3b06a1e3b28da3750b384cb2a82fdfc2c3f471d0

SHA256
fd652f33a54de21f695f45bbd90503333c6a7ee98e8dafb475cdf0318807619d

SHA512
32909ecd51a78102b4d263d3d9867e9ed07a48130df43a2d972f64ffe13037dcfc1d429ac19dfcccde2e38051f6c56a9e3739887e9299f0e5482a4c36658f8ce

Download Submit
\Users\Admin\AppData\Roaming\x\xmrstak_opencl_backend.dll

MD5
54643d88817dc25d665c7ac80ab1eb27

SHA1
f250764aa88eba662f898327535bd0d257917170

SHA256
b026053158363ead613db350bd93a68910765621a2ef00e8025a6e8ad09a2c21

SHA512
fbe72170036ac99e21c486eb7be774b58a5f15da7f317376ff7d4938249b6bd74080daf8dad0cf21ec25df67d5b8e3007fb785455d99ab3320c6a16774238b38

Download Submit
memory/1192-119-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1192-116-0x0000000000000000-mapping.dmp

Download
memory/1356-135-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1356-136-0x000000000040602E-mapping.dmp

Download
memory/1356-137-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1628-120-0x0000000000000000-mapping.dmp

Download
memory/2144-124-0x0000000000000000-mapping.dmp

Download
memory/2320-132-0x0000000002801000-0x0000000002802000-memory.dmp

Filesize
4KB

Download
memory/2320-129-0x0000000000000000-mapping.dmp

Download
memory/2916-127-0x0000000001930000-0x0000000001931000-memory.dmp

Filesize
4KB

Download
memory/2916-123-0x000000000041E792-mapping.dmp

Download
memory/2916-122-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2916-128-0x0000000001931000-0x0000000001932000-memory.dmp

Filesize
4KB

Download
memory/3108-114-0x000001EAB2960000-0x000001EAB2962000-memory.dmp

Filesize
8KB

Download
memory/3108-115-0x000001EAB2960000-0x000001EAB2962000-memory.dmp

Filesize
8KB

Download
memory/3624-133-0x0000000000000000-mapping.dmp

Download
memory/3736-139-0x0000000000000000-mapping.dmp

Download