nanocore | 2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe
Size

1.7MB
MD5

572deaae035dc45bfde695cf2c4eca9c
SHA1

23ac65e7d81d1937f3637e249d8daf03ee820bb4
SHA256

2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555
SHA512

0c8a7a75893af6413da2034de0b901476c9db94ca50f2ea757f77787b7816a9f53c71b5af6c527670ad85c46b892e244c623dc57096b3ebc76ccd497a8ef1d4d
SSDEEP

12288:ln4oojsadZIcSZzd9xU9DHhilbu300g6LUmhhVHq5snzVXvePiupREJXmBe8kkkS:eoOdScazTxRCEyLUm7HXvczZDwTs1

Score

10^/10

nanocore netwire botnet evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

netwire

divinevilla.hopto.org:3680

divinevilla9.duckdns.org:3680

Attributes

activex_autorun
true
activex_key
{4U0P1HV1-08W6-Q5LN-WDDU-VOF57B3X5Q6B}
copy_executable
true
delete_original
false
host_id
2019BLESSINGS
install_path
%AppData%\Install\xpsz.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
MkPFjgDl
offline_keylogger
true
password
teamoluwa1
registry_autorun
true
startup_name
vixx
use_mutex
true

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5040-144-0x0000000000400000-0x00000000005BD000-memory.dmp	netwire
behavioral2/memory/5040-145-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/2088-183-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/2088-181-0x0000000000400000-0x00000000005BD000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 6 IoCs

Processes:

done_output95FAB6F.exexpsz.exedone_output95FAB6F.exexpsz.exedone_output95FAB6F.exedone_output95FAB6F.exe

pid process

4120 done_output95FAB6F.exe
2024 xpsz.exe
1668 done_output95FAB6F.exe
2088 xpsz.exe
1932 done_output95FAB6F.exe
2032 done_output95FAB6F.exe

pid	process
4120	done_output95FAB6F.exe
2024	xpsz.exe
1668	done_output95FAB6F.exe
2088	xpsz.exe
1932	done_output95FAB6F.exe
2032	done_output95FAB6F.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xpsz.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4U0P1HV1-08W6-Q5LN-WDDU-VOF57B3X5Q6B}	xpsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4U0P1HV1-08W6-Q5LN-WDDU-VOF57B3X5Q6B}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\xpsz.exe\""	xpsz.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xpsz.exe2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	xpsz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xpsz.exedone_output95FAB6F.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	xpsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vixx = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\xpsz.exe"	xpsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Monitor = "C:\\Program Files (x86)\\UPNP Monitor\\upnpmon.exe"	done_output95FAB6F.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

done_output95FAB6F.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA done_output95FAB6F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	done_output95FAB6F.exe

Drops file in Program Files directory 2 IoCs

Processes:

done_output95FAB6F.exe

description	ioc	process
File created	C:\Program Files (x86)\UPNP Monitor\upnpmon.exe	done_output95FAB6F.exe
File opened for modification	C:\Program Files (x86)\UPNP Monitor\upnpmon.exe	done_output95FAB6F.exe

Drops file in Windows directory 8 IoCs

Processes:

done_output95FAB6F.exedone_output95FAB6F.exe2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exedone_output95FAB6F.exexpsz.exedone_output95FAB6F.exexpsz.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	done_output95FAB6F.exe
File opened for modification	C:\Windows\win.ini	done_output95FAB6F.exe
File opened for modification	C:\Windows\win.ini	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe
File opened for modification	C:\Windows\win.ini	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe
File opened for modification	C:\Windows\win.ini	done_output95FAB6F.exe
File opened for modification	C:\Windows\win.ini	xpsz.exe
File opened for modification	C:\Windows\win.ini	done_output95FAB6F.exe
File opened for modification	C:\Windows\win.ini	xpsz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4164 schtasks.exe
1672 schtasks.exe

pid	process
4164	schtasks.exe
1672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

done_output95FAB6F.exe

pid	process
1668	done_output95FAB6F.exe
1668	done_output95FAB6F.exe
1668	done_output95FAB6F.exe
1668	done_output95FAB6F.exe
1668	done_output95FAB6F.exe
1668	done_output95FAB6F.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

done_output95FAB6F.exe

pid process

1668 done_output95FAB6F.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

done_output95FAB6F.exe

description pid process

Token: SeDebugPrivilege 1668 done_output95FAB6F.exe

description	pid	process
Token: SeDebugPrivilege	1668	done_output95FAB6F.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exedone_output95FAB6F.exexpsz.exedone_output95FAB6F.exexpsz.exedone_output95FAB6F.exedone_output95FAB6F.exe

pid	process
4720	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe
5040	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe
4120	done_output95FAB6F.exe
2024	xpsz.exe
1668	done_output95FAB6F.exe
2088	xpsz.exe
1932	done_output95FAB6F.exe
2032	done_output95FAB6F.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exedone_output95FAB6F.exexpsz.exexpsz.exedone_output95FAB6F.exedone_output95FAB6F.exe

description	pid	process	target process
PID 4720 wrote to memory of 5040	4720	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe
PID 4720 wrote to memory of 5040	4720	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe
PID 4720 wrote to memory of 5040	4720	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe
PID 5040 wrote to memory of 4120	5040	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe	done_output95FAB6F.exe
PID 5040 wrote to memory of 4120	5040	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe	done_output95FAB6F.exe
PID 5040 wrote to memory of 4120	5040	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe	done_output95FAB6F.exe
PID 5040 wrote to memory of 2024	5040	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe	xpsz.exe
PID 5040 wrote to memory of 2024	5040	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe	xpsz.exe
PID 5040 wrote to memory of 2024	5040	2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe	xpsz.exe
PID 4120 wrote to memory of 1668	4120	done_output95FAB6F.exe	done_output95FAB6F.exe
PID 4120 wrote to memory of 1668	4120	done_output95FAB6F.exe	done_output95FAB6F.exe
PID 4120 wrote to memory of 1668	4120	done_output95FAB6F.exe	done_output95FAB6F.exe
PID 2024 wrote to memory of 2088	2024	xpsz.exe	xpsz.exe
PID 2024 wrote to memory of 2088	2024	xpsz.exe	xpsz.exe
PID 2024 wrote to memory of 2088	2024	xpsz.exe	xpsz.exe
PID 2088 wrote to memory of 1932	2088	xpsz.exe	done_output95FAB6F.exe
PID 2088 wrote to memory of 1932	2088	xpsz.exe	done_output95FAB6F.exe
PID 2088 wrote to memory of 1932	2088	xpsz.exe	done_output95FAB6F.exe
PID 1668 wrote to memory of 4164	1668	done_output95FAB6F.exe	schtasks.exe
PID 1668 wrote to memory of 4164	1668	done_output95FAB6F.exe	schtasks.exe
PID 1668 wrote to memory of 4164	1668	done_output95FAB6F.exe	schtasks.exe
PID 1668 wrote to memory of 1672	1668	done_output95FAB6F.exe	schtasks.exe
PID 1668 wrote to memory of 1672	1668	done_output95FAB6F.exe	schtasks.exe
PID 1668 wrote to memory of 1672	1668	done_output95FAB6F.exe	schtasks.exe
PID 1932 wrote to memory of 2032	1932	done_output95FAB6F.exe	done_output95FAB6F.exe
PID 1932 wrote to memory of 2032	1932	done_output95FAB6F.exe	done_output95FAB6F.exe
PID 1932 wrote to memory of 2032	1932	done_output95FAB6F.exe	done_output95FAB6F.exe

C:\Users\Admin\AppData\Local\Temp\2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe
"C:\Users\Admin\AppData\Local\Temp\2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Local\Temp\2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe
"C:\Users\Admin\AppData\Local\Temp\2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe
"C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120

C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe
"C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UPNP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7CA2.tmp"
5⤵
- Creates scheduled task(s)
PID:4164

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UPNP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8677.tmp"
5⤵
- Creates scheduled task(s)
PID:1672

C:\Users\Admin\AppData\Roaming\Install\xpsz.exe
"C:\Users\Admin\AppData\Roaming\Install\xpsz.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Roaming\Install\xpsz.exe
"C:\Users\Admin\AppData\Roaming\Install\xpsz.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe
"C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe"
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe
"C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe
Filesize
740KB

MD5
95febfd71065edffaeb39d7dd532d98f

SHA1
798c72a7ed1675d870a473b18b15a91b169a7e8b

SHA256
d6ed48df1af1e3ca921a7fe869a8fb340a8b59adc808b6ed08e5371cad639f86

SHA512
cf72fe378f3070d80c6a3a17eb6d39b2fec4f15c0d7f7fa682027c72ab8e00d976de24065091e61594bf331a2c23b61a0043c91bbc86fa60dd2c8af37697d543

Download Submit
C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe
Filesize
740KB

MD5
95febfd71065edffaeb39d7dd532d98f

SHA1
798c72a7ed1675d870a473b18b15a91b169a7e8b

SHA256
d6ed48df1af1e3ca921a7fe869a8fb340a8b59adc808b6ed08e5371cad639f86

SHA512
cf72fe378f3070d80c6a3a17eb6d39b2fec4f15c0d7f7fa682027c72ab8e00d976de24065091e61594bf331a2c23b61a0043c91bbc86fa60dd2c8af37697d543

Download Submit
C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe
Filesize
740KB

MD5
95febfd71065edffaeb39d7dd532d98f

SHA1
798c72a7ed1675d870a473b18b15a91b169a7e8b

SHA256
d6ed48df1af1e3ca921a7fe869a8fb340a8b59adc808b6ed08e5371cad639f86

SHA512
cf72fe378f3070d80c6a3a17eb6d39b2fec4f15c0d7f7fa682027c72ab8e00d976de24065091e61594bf331a2c23b61a0043c91bbc86fa60dd2c8af37697d543

Download Submit
C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe
Filesize
740KB

MD5
95febfd71065edffaeb39d7dd532d98f

SHA1
798c72a7ed1675d870a473b18b15a91b169a7e8b

SHA256
d6ed48df1af1e3ca921a7fe869a8fb340a8b59adc808b6ed08e5371cad639f86

SHA512
cf72fe378f3070d80c6a3a17eb6d39b2fec4f15c0d7f7fa682027c72ab8e00d976de24065091e61594bf331a2c23b61a0043c91bbc86fa60dd2c8af37697d543

Download Submit
C:\Users\Admin\AppData\Local\Temp\done_output95FAB6F.exe
Filesize
740KB

MD5
95febfd71065edffaeb39d7dd532d98f

SHA1
798c72a7ed1675d870a473b18b15a91b169a7e8b

SHA256
d6ed48df1af1e3ca921a7fe869a8fb340a8b59adc808b6ed08e5371cad639f86

SHA512
cf72fe378f3070d80c6a3a17eb6d39b2fec4f15c0d7f7fa682027c72ab8e00d976de24065091e61594bf331a2c23b61a0043c91bbc86fa60dd2c8af37697d543

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CA2.tmp
Filesize
1KB

MD5
2ab13221f820511803797eb5e97d3d15

SHA1
297522238598949b746b1dad493ec51a2639b9e3

SHA256
eee5064b1f652a698ab1534f3a6c38e7aa1f0942670d1bc5380759390177faa0

SHA512
0b80db420affdc9d8393d925d759376430dfbd6791b656690a1c2cfc22a5f932cc8db1cebcbbc156574861118f53e363bebdf9eb56de094c1b3afbe77b0584b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8677.tmp
Filesize
1KB

MD5
c9a4c783d2e18eea86e071de92f36f02

SHA1
4cb02db05386ccb70a23fa89dbadfddfc8f7b6af

SHA256
21d669a674eb23538f38f6822429d797e69e0685d18c0e6e03ec6801098b240a

SHA512
b6d5198d9ca83687fcc491c02ad8b417e02dff0150b514c3d39d13b8de9ffba6f3779ee7bb6350b087474fb6e0d1bd10b8fdd5c8f48a46c9cfd183d9045b80ef

Download Submit
C:\Users\Admin\AppData\Roaming\Install\xpsz.exe
Filesize
1.7MB

MD5
572deaae035dc45bfde695cf2c4eca9c

SHA1
23ac65e7d81d1937f3637e249d8daf03ee820bb4

SHA256
2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555

SHA512
0c8a7a75893af6413da2034de0b901476c9db94ca50f2ea757f77787b7816a9f53c71b5af6c527670ad85c46b892e244c623dc57096b3ebc76ccd497a8ef1d4d

Download Submit
C:\Users\Admin\AppData\Roaming\Install\xpsz.exe
Filesize
1.7MB

MD5
572deaae035dc45bfde695cf2c4eca9c

SHA1
23ac65e7d81d1937f3637e249d8daf03ee820bb4

SHA256
2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555

SHA512
0c8a7a75893af6413da2034de0b901476c9db94ca50f2ea757f77787b7816a9f53c71b5af6c527670ad85c46b892e244c623dc57096b3ebc76ccd497a8ef1d4d

Download Submit
C:\Users\Admin\AppData\Roaming\Install\xpsz.exe
Filesize
1.7MB

MD5
572deaae035dc45bfde695cf2c4eca9c

SHA1
23ac65e7d81d1937f3637e249d8daf03ee820bb4

SHA256
2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555

SHA512
0c8a7a75893af6413da2034de0b901476c9db94ca50f2ea757f77787b7816a9f53c71b5af6c527670ad85c46b892e244c623dc57096b3ebc76ccd497a8ef1d4d

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/1668-177-0x00000000778A1000-0x00000000779C1000-memory.dmp

Filesize
1.1MB

Download
memory/1668-159-0x0000000000000000-mapping.dmp

Download
memory/1668-176-0x00007FF9F26D0000-0x00007FF9F28C5000-memory.dmp

Filesize
2.0MB

Download
memory/1668-194-0x00000000744E0000-0x0000000074A91000-memory.dmp

Filesize
5.7MB

Download
memory/1668-175-0x00000000744E0000-0x0000000074A91000-memory.dmp

Filesize
5.7MB

Download
memory/1668-174-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1668-173-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1672-192-0x0000000000000000-mapping.dmp

Download
memory/1932-180-0x0000000000000000-mapping.dmp

Download
memory/1932-204-0x00000000778A0000-0x0000000077A43000-memory.dmp

Filesize
1.6MB

Download
memory/1932-201-0x00000000778A0000-0x0000000077A43000-memory.dmp

Filesize
1.6MB

Download
memory/1932-200-0x00007FF9F26D0000-0x00007FF9F28C5000-memory.dmp

Filesize
2.0MB

Download
memory/2024-179-0x00000000778A0000-0x0000000077A43000-memory.dmp

Filesize
1.6MB

Download
memory/2024-171-0x00000000778A0000-0x0000000077A43000-memory.dmp

Filesize
1.6MB

Download
memory/2024-151-0x0000000000000000-mapping.dmp

Download
memory/2024-170-0x00007FF9F26D0000-0x00007FF9F28C5000-memory.dmp

Filesize
2.0MB

Download
memory/2032-196-0x0000000000000000-mapping.dmp

Download
memory/2032-208-0x00000000744E0000-0x0000000074A91000-memory.dmp

Filesize
5.7MB

Download
memory/2032-207-0x00007FF9F26D0000-0x00007FF9F28C5000-memory.dmp

Filesize
2.0MB

Download
memory/2032-206-0x00000000744E0000-0x0000000074A91000-memory.dmp

Filesize
5.7MB

Download
memory/2032-205-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2088-164-0x0000000000000000-mapping.dmp

Download
memory/2088-183-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2088-181-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/2088-190-0x00007FF9F26D0000-0x00007FF9F28C5000-memory.dmp

Filesize
2.0MB

Download
memory/4120-141-0x0000000000000000-mapping.dmp

Download
memory/4120-168-0x00007FF9F26D0000-0x00007FF9F28C5000-memory.dmp

Filesize
2.0MB

Download
memory/4120-169-0x00000000778A0000-0x0000000077A43000-memory.dmp

Filesize
1.6MB

Download
memory/4164-184-0x0000000000000000-mapping.dmp

Download
memory/4720-140-0x00000000778A0000-0x0000000077A43000-memory.dmp

Filesize
1.6MB

Download
memory/4720-138-0x00000000778A0000-0x0000000077A43000-memory.dmp

Filesize
1.6MB

Download
memory/4720-137-0x00007FF9F26D0000-0x00007FF9F28C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-152-0x00007FF9F26D0000-0x00007FF9F28C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-144-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/5040-134-0x0000000000000000-mapping.dmp

Download
memory/5040-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5040-153-0x00000000778A0000-0x0000000077A43000-memory.dmp

Filesize
1.6MB

Download