stormkitty | 18b4e3d6eca1a5812222f2c4d1c86b68cb929fda16108242fef13a4f097f877f

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DiscordNukerV1.0.exe
Size

14.8MB
MD5

38df4465ac1c0b796df23a8c607a1d5b
SHA1

d1434d1f559deb702590a6c978b6e7d38e2a7767
SHA256

18b4e3d6eca1a5812222f2c4d1c86b68cb929fda16108242fef13a4f097f877f
SHA512

2af234bd6e438e30e8056e0b6fc4aedc651fcd6fa123b0688a02dd5af2d48aa5395e004d9ebc334743febab204dc3f10cb1c3f63f7102c9b9d9b7b7ef7f71bae
SSDEEP

196608:RQapTQTpurvvybvz5U0+tfSl5GNxc54hSOCFWYv3b6qDdc9pm7+4Sf9nCoUm4vvT:RQpuTybvCdpkGNXSOr+0ipc

Score

10^/10

stormkitty xworm discovery execution persistence pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

193.161.193.99:57345

SomeVmTest-57345.portmap.host:57345

Attributes

Install_directory
%ProgramData%
install_file
Microsoft Edge.exe
telegram
https://api.telegram.org/bot8173550372:AAFjEp_VO8z4680tyISQONWzSsBtso_p8-8/sendMessage?chat_id=7840504773

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2704-1648-0x0000000000C90000-0x0000000000C9E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012119-5.dat	family_xworm
behavioral1/memory/2704-12-0x0000000001020000-0x0000000001052000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2704-1649-0x000000001D1D0000-0x000000001D2EE000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2628	powershell.exe
3008	powershell.exe
1932	powershell.exe
3068	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk	DSCNukerV1.0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk	DSCNukerV1.0.exe

Executes dropped EXE 9 IoCs

pid	Process
2704	DSCNukerV1.0.exe
2820	DiscordNukerV1.0ByKami.exe
2872	backend.exe
2604	backend.exe
1320	ynyfza.exe
1592	ynyfza.exe
1208	Process not Found
2988	uujiua.exe
2220	uujiua.exe

Loads dropped DLL 29 IoCs

pid	Process
2708	DiscordNukerV1.0.exe
1652	Process not Found
2872	backend.exe
2604	backend.exe
2604	backend.exe
2604	backend.exe
2604	backend.exe
2604	backend.exe
2604	backend.exe
2604	backend.exe
2704	DSCNukerV1.0.exe
1320	ynyfza.exe
1592	ynyfza.exe
1592	ynyfza.exe
1592	ynyfza.exe
1592	ynyfza.exe
1592	ynyfza.exe
1592	ynyfza.exe
1592	ynyfza.exe
2704	DSCNukerV1.0.exe
2988	uujiua.exe
2220	uujiua.exe
2220	uujiua.exe
2220	uujiua.exe
2220	uujiua.exe
2220	uujiua.exe
2220	uujiua.exe
2220	uujiua.exe
1208	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\ProgramData\\Microsoft Edge.exe"	DSCNukerV1.0.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00080000000156a6-18.dat	pyinstaller
behavioral1/files/0x0003000000013d08-1454.dat	pyinstaller
behavioral1/files/0x0009000000015d03-1577.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordNukerV1.0ByKami.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	DSCNukerV1.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DSCNukerV1.0.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1236	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	DSCNukerV1.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	DSCNukerV1.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	DSCNukerV1.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	DSCNukerV1.0.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2628	powershell.exe
3008	powershell.exe
1932	powershell.exe
3068	powershell.exe
2704	DSCNukerV1.0.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	DSCNukerV1.0.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2704	DSCNukerV1.0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2704	DSCNukerV1.0.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2704	2708	DiscordNukerV1.0.exe	30
PID 2708 wrote to memory of 2704	2708	DiscordNukerV1.0.exe	30
PID 2708 wrote to memory of 2704	2708	DiscordNukerV1.0.exe	30
PID 2708 wrote to memory of 2820	2708	DiscordNukerV1.0.exe	31
PID 2708 wrote to memory of 2820	2708	DiscordNukerV1.0.exe	31
PID 2708 wrote to memory of 2820	2708	DiscordNukerV1.0.exe	31
PID 2708 wrote to memory of 2820	2708	DiscordNukerV1.0.exe	31
PID 2708 wrote to memory of 2872	2708	DiscordNukerV1.0.exe	32
PID 2708 wrote to memory of 2872	2708	DiscordNukerV1.0.exe	32
PID 2708 wrote to memory of 2872	2708	DiscordNukerV1.0.exe	32
PID 2872 wrote to memory of 2604	2872	backend.exe	35
PID 2872 wrote to memory of 2604	2872	backend.exe	35
PID 2872 wrote to memory of 2604	2872	backend.exe	35
PID 2704 wrote to memory of 2628	2704	DSCNukerV1.0.exe	36
PID 2704 wrote to memory of 2628	2704	DSCNukerV1.0.exe	36
PID 2704 wrote to memory of 2628	2704	DSCNukerV1.0.exe	36
PID 2704 wrote to memory of 3008	2704	DSCNukerV1.0.exe	38
PID 2704 wrote to memory of 3008	2704	DSCNukerV1.0.exe	38
PID 2704 wrote to memory of 3008	2704	DSCNukerV1.0.exe	38
PID 2704 wrote to memory of 1932	2704	DSCNukerV1.0.exe	40
PID 2704 wrote to memory of 1932	2704	DSCNukerV1.0.exe	40
PID 2704 wrote to memory of 1932	2704	DSCNukerV1.0.exe	40
PID 2704 wrote to memory of 3068	2704	DSCNukerV1.0.exe	42
PID 2704 wrote to memory of 3068	2704	DSCNukerV1.0.exe	42
PID 2704 wrote to memory of 3068	2704	DSCNukerV1.0.exe	42
PID 2704 wrote to memory of 2404	2704	DSCNukerV1.0.exe	44
PID 2704 wrote to memory of 2404	2704	DSCNukerV1.0.exe	44
PID 2704 wrote to memory of 2404	2704	DSCNukerV1.0.exe	44
PID 2704 wrote to memory of 1320	2704	DSCNukerV1.0.exe	47
PID 2704 wrote to memory of 1320	2704	DSCNukerV1.0.exe	47
PID 2704 wrote to memory of 1320	2704	DSCNukerV1.0.exe	47
PID 1320 wrote to memory of 1592	1320	ynyfza.exe	48
PID 1320 wrote to memory of 1592	1320	ynyfza.exe	48
PID 1320 wrote to memory of 1592	1320	ynyfza.exe	48
PID 2704 wrote to memory of 2988	2704	DSCNukerV1.0.exe	50
PID 2704 wrote to memory of 2988	2704	DSCNukerV1.0.exe	50
PID 2704 wrote to memory of 2988	2704	DSCNukerV1.0.exe	50
PID 2988 wrote to memory of 2220	2988	uujiua.exe	51
PID 2988 wrote to memory of 2220	2988	uujiua.exe	51
PID 2988 wrote to memory of 2220	2988	uujiua.exe	51
PID 2704 wrote to memory of 2680	2704	DSCNukerV1.0.exe	52
PID 2704 wrote to memory of 2680	2704	DSCNukerV1.0.exe	52
PID 2704 wrote to memory of 2680	2704	DSCNukerV1.0.exe	52
PID 2704 wrote to memory of 2044	2704	DSCNukerV1.0.exe	54
PID 2704 wrote to memory of 2044	2704	DSCNukerV1.0.exe	54
PID 2704 wrote to memory of 2044	2704	DSCNukerV1.0.exe	54
PID 2044 wrote to memory of 1236	2044	cmd.exe	56
PID 2044 wrote to memory of 1236	2044	cmd.exe	56
PID 2044 wrote to memory of 1236	2044	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DiscordNukerV1.0.exe
"C:\Users\Admin\AppData\Local\Temp\DiscordNukerV1.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\DSCNukerV1.0.exe
  "C:\Users\Admin\AppData\Local\Temp\DSCNukerV1.0.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DSCNukerV1.0.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DSCNukerV1.0.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft Edge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\ProgramData\Microsoft Edge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2404
- - C:\Users\Admin\AppData\Local\Temp\ynyfza.exe
    "C:\Users\Admin\AppData\Local\Temp\ynyfza.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\ynyfza.exe
      "C:\Users\Admin\AppData\Local\Temp\ynyfza.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1592
- - C:\Users\Admin\AppData\Local\Temp\uujiua.exe
    "C:\Users\Admin\AppData\Local\Temp\uujiua.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\uujiua.exe
      "C:\Users\Admin\AppData\Local\Temp\uujiua.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2220
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "Microsoft Edge"
    3⤵
    PID:2680
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpED81.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1236
- C:\Users\Admin\AppData\Local\Temp\DiscordNukerV1.0ByKami.exe
  "C:\Users\Admin\AppData\Local\Temp\DiscordNukerV1.0ByKami.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\backend.exe
  "C:\Users\Admin\AppData\Local\Temp\backend.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\backend.exe
    "C:\Users\Admin\AppData\Local\Temp\backend.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2604

C:\Windows\system32\taskeng.exe
taskeng.exe {BFE5D80A-F733-40A5-8572-E46BD339AE35} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DSCNukerV1.0.exe

Filesize
174KB

MD5
2ad7401c5fb59aa1ef10c16fefeee7ee

SHA1
755f65923dc195ced2817ebdf3e04abc639c6f99

SHA256
9b566cee1fdbdf861d52eb0a8da7795ca77cca1700e890b641caa48223236395

SHA512
43ea45a01c0328ea0791be1c4fd15920e353545489b6c42555e7344ee77ce04a6233e342b89c984594bddec92c06cb01985c84de3d4d29cb80b2754a4c4f2357

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiscordNukerV1.0ByKami.exe

Filesize
30KB

MD5
3ef71b85852ddbd407036b32e02395c0

SHA1
98e8c0efef7d096d61c7f78763cf317203c507bd

SHA256
db2318d2211d0822511c0e0eacc98aa936ccfb0d89956f8a26c079651acf7521

SHA512
afc30841f1e0434b913a35afe9718b7af364f42448235861944fbf941bf106819696d1bb096289a82eedcc1c35c8f65f92b87b3057c508e64515f898e13c57f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\Africa\Conakry

Filesize
130B

MD5
796a57137d718e4fa3db8ef611f18e61

SHA1
23f0868c618aee82234605f5a0002356042e9349

SHA256
f3e7fcaa0e9840ff4169d3567d8fb5926644848f4963d7acf92320843c5d486e

SHA512
64a8de7d9e2e612a6e9438f2de598b11fecc5252052d92278c96dd6019abe7465e11c995e009dfbc76362080217e9df9091114bdbd1431828842348390cb997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\Africa\Djibouti

Filesize
191B

MD5
fe54394a3dcf951bad3c293980109dd2

SHA1
4650b524081009959e8487ed97c07a331c13fd2d

SHA256
0783854f52c33ada6b6d2a5d867662f0ae8e15238d2fce7b9ada4f4d319eb466

SHA512
fe4cf1dd66ae0739f1051be91d729efebde5459967bbe41adbdd3330d84d167a7f8db6d4974225cb75e3b2d207480dfb3862f2b1dda717f33b9c11d33dcac418

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\Africa\Kigali

Filesize
131B

MD5
9c92339423e915befec45cc4752a75ce

SHA1
d336e337b0cafc1205ba041fac447b8ae3074dbe

SHA256
910c97c091cd34ae7427c83226234ce7b4f2f425c5822d6669c24be62010a792

SHA512
e5a3a1ab74a2620743964583ab960be126448ed013b57393eca6b397ac020de0be5763b6d40443b1976e0d3e6a533e8c46123fcb0428e5e233b076cf9ba69667

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\Africa\Lagos

Filesize
180B

MD5
89de77d185e9a76612bd5f9fb043a9c2

SHA1
0c58600cb28c94c8642dedb01ac1c3ce84ee9acf

SHA256
e5ef1288571cc56c5276ca966e1c8a675c6747726d758ecafe7effce6eca7be4

SHA512
e2fb974fa770639d56edc5f267306be7ee9b00b9b214a06739c0dad0403903d8432e1c7b9d4322a8c9c31bd1faa8083e262f9d851c29562883ca3933e01d018c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\America\Curacao

Filesize
177B

MD5
92d3b867243120ea811c24c038e5b053

SHA1
ade39dfb24b20a67d3ac8cc7f59d364904934174

SHA256
abbe8628dd5487c889db816ce3a5077bbb47f6bafafeb9411d92d6ef2f70ce8d

SHA512
1eee8298dffa70049439884f269f90c0babcc8e94c5ccb595f12c8cfe3ad12d52b2d82a5853d0ff4a0e4d6069458cc1517b7535278b2fdef145e024e3531daad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\America\Toronto

Filesize
1KB

MD5
3fa8a9428d799763fa7ea205c02deb93

SHA1
222b74b3605024b3d9ed133a3a7419986adcc977

SHA256
815ab4db7a1b1292867d2f924b718e1bba32455ce9f92205db2feb65029c6761

SHA512
107a4dbb64107f781e3ed17b505baea28d4ca6683c2b49d146dda41c28ca3f9c307809ed938e4152011e199a7be6913de6f7b78cafe8ef300dc3034397945238

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\EST

Filesize
149B

MD5
595e67b4c97fda031a90e5ef80813e7d

SHA1
7194eb1a70c1acc1749c19617601595d910b9744

SHA256
a78d73067ba3cbd94f8a23dfdd6aa8b68cb33b18484bc17b4e20ea1aec2f0a81

SHA512
27925a87379552403a0960c2ec191994610bc05b2d67fb1fbbeeb6086a16091bdc69449bce3426b31a2775f3845ed8cc07d1882f8b3b4e63f437775a2eea5d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\Etc\Greenwich

Filesize
111B

MD5
e7577ad74319a942781e7153a97d7690

SHA1
91d9c2bf1cbb44214a808e923469d2153b3f9a3f

SHA256
dc4a07571b10884e4f4f3450c9d1a1cbf4c03ef53d06ed2e4ea152d9eba5d5d7

SHA512
b4bc0ddba238fcab00c99987ea7bd5d5fa15967eceba6a2455ecd1d81679b4c76182b5a9e10c004b55dc98abc68ce0912d4f42547b24a22b0f5f0f90117e2b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\Europe\London

Filesize
1KB

MD5
d111147703d04769072d1b824d0ddc0c

SHA1
0c99c01cad245400194d78f9023bd92ee511fbb1

SHA256
676541f0b8ad457c744c093f807589adcad909e3fd03f901787d08786eedbd33

SHA512
21502d194dfd89ac66f3df6610cb7725936f69faafb6597d4c22cec9d5e40965d05dd7111de9089bc119ec2b701fea664d3cb291b20ae04d59bcbd79e681d07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\Europe\Oslo

Filesize
705B

MD5
2577d6d2ba90616ca47c8ee8d9fbca20

SHA1
e8f7079796d21c70589f90d7682f730ed236afd4

SHA256
a7fd9932d785d4d690900b834c3563c1810c1cf2e01711bcc0926af6c0767cb7

SHA512
f228ca1ef2756f955566513d7480d779b10b74a8780f2c3f1768730a1a9ae54c5ac44890d0690b59df70c4194a414f276f59bb29389f6fa29719cb06cb946ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\Europe\Skopje

Filesize
478B

MD5
a4ac1780d547f4e4c41cab4c6cf1d76d

SHA1
9033138c20102912b7078149abc940ea83268587

SHA256
a8c964f3eaa7a209d9a650fb16c68c003e9a5fc62ffbbb10fa849d54fb3662d6

SHA512
7fd5c4598f9d61a3888b4831b0c256ac8c07a5ae28123f969549ae3085a77fece562a09805c44eab7973765d850f6c58f9fcf42582bdd7fd0cdba6cd3d432469

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\MET

Filesize
1KB

MD5
7a350885dea1ebe1bf630eb4254e9abc

SHA1
5036277ce20a4d75d228cf82a07ed8e56c22e197

SHA256
b10f9542a8509f0a63ebca78e3d80432dd86b8ea296400280febd9cfa76e8288

SHA512
524ed4fb0c158a1d526dd9071df7111fb78940d468e964bf63ba5418f9b551ec28c38fa1dc2711415aa31f926d8729eac63d6b1e2946b7942ce822f09d00c5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\PRC

Filesize
393B

MD5
dff9cd919f10d25842d1381cdff9f7f7

SHA1
2aa2d896e8dde7bc74cb502cd8bff5a2a19b511f

SHA256
bf8b7ed82fe6e63e6d98f8cea934eeac901cd16aba85eb5755ce3f8b4289ea8a

SHA512
c6f4ef7e4961d9f5ae353a5a54d5263fea784255884f7c18728e05806d7c80247a2af5d9999d805f40b0cc86a580a3e2e81135fdd49d62876a15e1ab50e148b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\Pacific\Wallis

Filesize
134B

MD5
ba8d62a6ed66f462087e00ad76f7354d

SHA1
584a5063b3f9c2c1159cebea8ea2813e105f3173

SHA256
09035620bd831697a3e9072f82de34cfca5e912d50c8da547739aa2f28fb6d8e

SHA512
9c5dba4f7c71d5c753895cbfdb01e18b9195f7aad971948eb8e8817b7aca9b7531ca250cdce0e01a5b97ba42c1c9049fd93a2f1ed886ef9779a54babd969f761

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\Pacific\Yap

Filesize
154B

MD5
bcf8aa818432d7ae244087c7306bcb23

SHA1
5a91d56826d9fc9bc84c408c581a12127690ed11

SHA256
683001055b6ef9dc9d88734e0eddd1782f1c3643b7c13a75e9cf8e9052006e19

SHA512
d5721c5bf8e1df68fbe2c83bb5cd1edea331f8be7f2a7ef7a6c45f1c656857f2f981adb2c82d8b380c88b1ddea6abb20d692c45403f9562448908637d70fa221

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\UCT

Filesize
111B

MD5
51d8a0e68892ebf0854a1b4250ffb26b

SHA1
b3ea2db080cd92273d70a8795d1f6378ac1d2b74

SHA256
fddce1e648a1732ac29afd9a16151b2973cdf082e7ec0c690f7e42be6b598b93

SHA512
4d0def0cd33012754835b27078d64141503c8762e7fb0f74ac669b8e2768deeba14900feef6174f65b1c3dd2ea0ce9a73bba499275c1c75bcae91cd266262b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\tzdata\zoneinfo\US\Mountain

Filesize
1KB

MD5
c1b9655d5b1ce7fbc9ac213e921acc88

SHA1
064be7292142a188c73bf9438d382002c373c342

SHA256
9bb703920eca4b6119e81a105583a4f6ca220651f13b418479ab7cd56c413f3e

SHA512
2a188d7bcc48acc17b229e50e136b55dbc59058ae9be6ef217238cd1b6c0a59817954ab98817d2e2ff836a6f7d7461be5850ad73a9096d7a14ce9fd8c2a3c29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpED81.tmp.bat

Filesize
164B

MD5
d5e8aa82354928301d154fe69c2689d7

SHA1
0abfdd841eed898367e13b3d84477fb33c75166f

SHA256
b3da05b2f07db3fd86da1c4f6aa244b9034245151303bee72589995c86242614

SHA512
39d1848cbcccd73270f0296e2170df5a2d1f498afd44caa55a51d2df785d2225641206620ef77bd8e504816ea784de1142db40aad4ec6abf4c094dd2f7baa22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynyfza.exe

Filesize
7.1MB

MD5
302266ede0190cec138bcf750eafe22e

SHA1
36e9ea5f6f258dbbd4607e6e44d765dea6b88bb0

SHA256
e8f68f6bc7100e772f13d186e610e873e2ad1e2ab08e9e0b6abc35fd9cb35550

SHA512
a4db1191770dbcb1d357f22d1420cf96f12d839c1a52e2fba7be920a7e16da2268db7994c278a9eddf5d50808aea8166511a6d45af8b773e88d878cb25571b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e533ed9f809c07a81ecdc48532fa816a

SHA1
5c3086e50c89c5724f663510ce8c35140c372ad3

SHA256
7b7a937de2d8685a65b097310c77f284deea873485069fb9dd2a2ae20a03a2ce

SHA512
ca287fe40991766bb7a0ef6128248275bc8f2a83d63e33b290580ae262ecfae5961d89241f04e0eda4874b1567d8c9c29aa53bc396d73128e70dce2d75de2f99

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28722\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28722\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28722\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28722\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28722\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
\Users\Admin\AppData\Local\Temp\backend.exe

Filesize
14.5MB

MD5
93ec05c486121405b866e9d11a1d1dd2

SHA1
e85a6000e6fb75b0e556e32574bba573d05071fe

SHA256
2d0b1ce2d58d34d6e511b72320fc94dc9a65877e6549109b40b0c73f5dfc835c

SHA512
3a7b1960f3bf0be99798bf877b4e75ab435dad3aee143402d311b31b3aff049071f25d05c59bebf11863ef0b8387c1dda181cfcffc174af4562472ca06bbdf3f

Download Submit
\Users\Admin\AppData\Local\Temp\uujiua.exe

Filesize
7.1MB

MD5
085eec275c2c2de5ee190e257450eb34

SHA1
2b72c20023a089011e707deff730298cbd36273e

SHA256
a80851a147b3140fcfa86b7c7e0eb263106d0d3bbe1f32374d1b7b5561653293

SHA512
78d0af1456c935b71dcb6e44f11e521a47fb40ac5c134b63ac44ccfdad09434bfea7e03b5fa6e3c22797b7c7c62b761138d44400e3f6279af558f0e13f298c88

Download Submit
memory/2628-737-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2628-738-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2704-1648-0x0000000000C90000-0x0000000000C9E000-memory.dmp

Filesize
56KB

Download
memory/2704-1647-0x000000001DDD0000-0x000000001E120000-memory.dmp

Filesize
3.3MB

Download
memory/2704-1732-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-12-0x0000000001020000-0x0000000001052000-memory.dmp

Filesize
200KB

Download
memory/2704-1449-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-15-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-1651-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

Filesize
40KB

Download
memory/2704-1650-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

Filesize
48KB

Download
memory/2704-1649-0x000000001D1D0000-0x000000001D2EE000-memory.dmp

Filesize
1.1MB

Download
memory/2708-1-0x0000000001090000-0x0000000001F56000-memory.dmp

Filesize
14.8MB

Download
memory/2708-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2820-14-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/3008-1431-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/3008-1432-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download