xworm | 8f619c4d07c848855b27863e887f95f7307ae2d46f64c661ca17a2d96798a2af

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dll (1).exe
Size

1.8MB
MD5

2d8725f268c90475c94941e550019cf9
SHA1

c51ed1a97e71cbdfb7712f7fbe2251553f1054b7
SHA256

8f619c4d07c848855b27863e887f95f7307ae2d46f64c661ca17a2d96798a2af
SHA512

4998e8bf9e33f31e895783e31185fd678c368e3eb3b524b65ff1d988f0395cdd8d7a1aa6776d89b1f284656f2e6c97b848d8e909c167b52932a1d83382e57bb1
SSDEEP

49152:d78cpUcrJCoHjuFnBPn20DRt8HcWynnBvIyn+inbT:d78cpUcrJC2q9BPjo8WyBv1n+in

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:35472

haxxy999-35472.portmap.host:35472

Attributes

Install_directory
%Temp%
install_file
svchost.exe

Signatures

Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource yara_rule

behavioral2/memory/1488-124-0x000000001BEE0000-0x000000001BEEE000-memory.dmp disable_win_def

resource	yara_rule
behavioral2/memory/1488-124-0x000000001BEE0000-0x000000001BEEE000-memory.dmp	disable_win_def

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Feather new.exe	family_xworm
behavioral2/memory/1488-61-0x00000000005E0000-0x00000000005FC000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\ybevvn.exe	family_xworm
behavioral2/memory/3932-144-0x0000000000B80000-0x0000000000B9C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

5092 powershell.exe
4912 powershell.exe
4656 powershell.exe
3252 powershell.exe
3980 powershell.exe
2316 powershell.exe
3564 powershell.exe
2400 powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dll (1).exeFeather new.exeybevvn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	dll (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Feather new.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	ybevvn.exe

Drops startup file 3 IoCs

Processes:

ybevvn.exeFeather new.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	ybevvn.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Feather new.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Feather new.exe

Executes dropped EXE 6 IoCs

Processes:

WaveInstaller.exeFeather new.exeybevvn.exezgsnkb.exesvchost.exesvchost.exe

pid process

1616 WaveInstaller.exe
1488 Feather new.exe
3932 ybevvn.exe
1420 zgsnkb.exe
408 svchost.exe
228 svchost.exe

pid	process
1616	WaveInstaller.exe
1488	Feather new.exe
3932	ybevvn.exe
1420	zgsnkb.exe
408	svchost.exe
228	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Feather new.exeybevvn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	Feather new.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe"	ybevvn.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ip-api.com
14 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2488 schtasks.exe
4068 schtasks.exe

flow	ioc
42	ip-api.com
14	ip-api.com

pid	process
2488	schtasks.exe
4068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeFeather new.exepowershell.exepowershell.exepowershell.exepowershell.exeybevvn.exe

pid	process
5092	powershell.exe
5092	powershell.exe
4912	powershell.exe
4912	powershell.exe
4656	powershell.exe
4656	powershell.exe
3252	powershell.exe
3252	powershell.exe
1488	Feather new.exe
1488	Feather new.exe
3980	powershell.exe
3980	powershell.exe
2316	powershell.exe
2316	powershell.exe
3564	powershell.exe
3564	powershell.exe
2400	powershell.exe
2400	powershell.exe
3932	ybevvn.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Feather new.exepowershell.exepowershell.exepowershell.exepowershell.exeybevvn.exezgsnkb.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1488	Feather new.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	1488	Feather new.exe
Token: SeDebugPrivilege	3932	ybevvn.exe
Token: SeDebugPrivilege	1420	zgsnkb.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	408	svchost.exe
Token: SeDebugPrivilege	3932	ybevvn.exe
Token: SeDebugPrivilege	228	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Feather new.exeybevvn.exe

pid process

1488 Feather new.exe
3932 ybevvn.exe

pid	process
1488	Feather new.exe
3932	ybevvn.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

dll (1).exeFeather new.exeybevvn.exe

description	pid	process	target process
PID 60 wrote to memory of 1616	60	dll (1).exe	WaveInstaller.exe
PID 60 wrote to memory of 1616	60	dll (1).exe	WaveInstaller.exe
PID 60 wrote to memory of 1616	60	dll (1).exe	WaveInstaller.exe
PID 60 wrote to memory of 1488	60	dll (1).exe	Feather new.exe
PID 60 wrote to memory of 1488	60	dll (1).exe	Feather new.exe
PID 1488 wrote to memory of 5092	1488	Feather new.exe	powershell.exe
PID 1488 wrote to memory of 5092	1488	Feather new.exe	powershell.exe
PID 1488 wrote to memory of 4912	1488	Feather new.exe	powershell.exe
PID 1488 wrote to memory of 4912	1488	Feather new.exe	powershell.exe
PID 1488 wrote to memory of 4656	1488	Feather new.exe	powershell.exe
PID 1488 wrote to memory of 4656	1488	Feather new.exe	powershell.exe
PID 1488 wrote to memory of 3252	1488	Feather new.exe	powershell.exe
PID 1488 wrote to memory of 3252	1488	Feather new.exe	powershell.exe
PID 1488 wrote to memory of 2488	1488	Feather new.exe	schtasks.exe
PID 1488 wrote to memory of 2488	1488	Feather new.exe	schtasks.exe
PID 1488 wrote to memory of 3932	1488	Feather new.exe	ybevvn.exe
PID 1488 wrote to memory of 3932	1488	Feather new.exe	ybevvn.exe
PID 1488 wrote to memory of 1420	1488	Feather new.exe	zgsnkb.exe
PID 1488 wrote to memory of 1420	1488	Feather new.exe	zgsnkb.exe
PID 3932 wrote to memory of 3980	3932	ybevvn.exe	powershell.exe
PID 3932 wrote to memory of 3980	3932	ybevvn.exe	powershell.exe
PID 3932 wrote to memory of 2316	3932	ybevvn.exe	powershell.exe
PID 3932 wrote to memory of 2316	3932	ybevvn.exe	powershell.exe
PID 3932 wrote to memory of 3564	3932	ybevvn.exe	powershell.exe
PID 3932 wrote to memory of 3564	3932	ybevvn.exe	powershell.exe
PID 3932 wrote to memory of 2400	3932	ybevvn.exe	powershell.exe
PID 3932 wrote to memory of 2400	3932	ybevvn.exe	powershell.exe
PID 3932 wrote to memory of 4068	3932	ybevvn.exe	schtasks.exe
PID 3932 wrote to memory of 4068	3932	ybevvn.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dll (1).exe
"C:\Users\Admin\AppData\Local\Temp\dll (1).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\WaveInstaller.exe
"C:\Users\Admin\WaveInstaller.exe"
2⤵
- Executes dropped EXE
PID:1616

C:\Users\Admin\Feather new.exe
"C:\Users\Admin\Feather new.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Feather new.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Feather new.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Users\Admin\AppData\Local\Temp\ybevvn.exe
"C:\Users\Admin\AppData\Local\Temp\ybevvn.exe"
3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ybevvn.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ybevvn.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
4⤵
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Users\Admin\AppData\Local\Temp\zgsnkb.exe
"C:\Users\Admin\AppData\Local\Temp\zgsnkb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:228

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c1b0a9f26c3e1786191e94e419f1fbf9

SHA1
7f3492f4ec2d93e164f43fe2606b53edcffd8926

SHA256
796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113

SHA512
fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
329d930fea7f494cf4a36170921c064a

SHA1
aac7a8a6e8103600950e14a18c5bd9fdcf0d3e72

SHA256
95c0dc463114f6a9b5f0dd3d27ea44c551ee47f8c2b25b1a35c13633bf26f6f6

SHA512
b5c97e2b5c3d45e1b66a513f2405810bbc6e20409a0a6e302f6b44852ae40c710d538fb049eef9aadb58c9ba76acc6105bad49d8eeb33dd19a4e99262b7f18ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1099dc40baabde4be41cc1faf6353f7d

SHA1
345705c6b9adc64389b6d142e7484d0cdd4f2bd0

SHA256
6cec99d44ed65e73240a96691f299a41e944a9c8f59c543df3ecd73d95c8bf40

SHA512
6315f1089cc8139531acc422741290c84a60841a65a8cc9844cd907c96694d33d164120c36f460a0bef03e67e2a60c33f9c968ac41edf3dd82cab015e00e74a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cc19bcff372d20459d3651ba8aef50e7

SHA1
3c6f1d4cdd647864fb97a16b1aefba67fcee11f7

SHA256
366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9

SHA512
a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d0a40a2d16d62c60994d5bb5624a589b

SHA1
30f0a77f10518a09d83e6185d6c4cde23e4de8af

SHA256
c213a4024e89a0240d0b1fa3b18ea3db3db7bbe7ca1bdeed86dce9c2c4991ef8

SHA512
cecef5087f194a83948880e36445324406218f6877386d6db7850b8f97ac107e042ea9445bb7e73c6e6a2c7da9782b7dae8caba0a1c997677d096b3271a4cac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwuquqdw.q33.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybevvn.exe
Filesize
84KB

MD5
32e2a2593d2ceb70749d5e070702da52

SHA1
2b9b2646ab4d0d0ca3cc722df7879254fbdc849e

SHA256
7a63f2c2d35675dd511249d34e399449ff37e9afdd327b21faed9da57715b1a5

SHA512
631ab888b85e9249784b39cf29f85fb7549110ec2c638eb42088bbaf00e5a38cbea6ce0eafe12592fd46d4a56bca84abb9c71b31db4ecf29c2e91d3da0f9b47e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
Filesize
1KB

MD5
23fbfad94432784e9bc9603ff3a74abf

SHA1
8319ba3f6ee5fa098390edcf44774e10be0edba2

SHA256
f8f8297b2c2690eea1db70c18590f7e8844f2e13b50637b3a2580165ebfcabf8

SHA512
932deb64968479fbaf5b37ca9c03222231795f1c6115edb66865950f80a768198a2792e4e69126e79c110abd2096a49a68305374228bff2277ce62154d5a855d

Download Submit
C:\Users\Admin\Feather new.exe
Filesize
87KB

MD5
d937a01ea0bd6d64bf218bf9f052601d

SHA1
e47417cb8773b13c66717cc3137bda4f919578b2

SHA256
8d2252827e127ba22c6645d57981a0556149255ec6b430582c02d9e6b8cb2adb

SHA512
b1d73cf9377f1dcb774bce9840fafe950e44ab3d39763c2a12c918fb8a0a8de463a24b127388b59dae5fedd1147387ee9b1d0d1fcc0451d16094495f8703c0cd

Download Submit
C:\Users\Admin\WaveInstaller.exe
Filesize
1.5MB

MD5
b075f4320e46d0d5e78a649e8ee011cc

SHA1
b0dd50171323f0f83dbea0340e9ed8cf44bea38e

SHA256
8581823244a50bbed9709d09f3eba29dd9989681d96bff2b6c19245053069feb

SHA512
e08024b5fa50dc344ca18413a6c21e0f20490c22c90c565d6f663014f1673643da1d5d748e0cefca8a7cbae91a62470289803ad588d3aa5cf3dc6292d7393d47

Download Submit
memory/60-0-0x00007FFB1AA53000-0x00007FFB1AA55000-memory.dmp

Filesize
8KB

Download
memory/60-1-0x0000000000AB0000-0x0000000000C8E000-memory.dmp

Filesize
1.9MB

Download
memory/1488-124-0x000000001BEE0000-0x000000001BEEE000-memory.dmp

Filesize
56KB

Download
memory/1488-177-0x000000001C9B0000-0x000000001C9BC000-memory.dmp

Filesize
48KB

Download
memory/1488-119-0x00007FFB1AA50000-0x00007FFB1B511000-memory.dmp

Filesize
10.8MB

Download
memory/1488-61-0x00000000005E0000-0x00000000005FC000-memory.dmp

Filesize
112KB

Download
memory/1488-121-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1488-68-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1488-62-0x00007FFB1AA50000-0x00007FFB1B511000-memory.dmp

Filesize
10.8MB

Download
memory/1616-66-0x000000000A130000-0x000000000A168000-memory.dmp

Filesize
224KB

Download
memory/1616-65-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/1616-64-0x0000000000BF0000-0x0000000000D82000-memory.dmp

Filesize
1.6MB

Download
memory/1616-63-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/1616-67-0x000000000A110000-0x000000000A11E000-memory.dmp

Filesize
56KB

Download
memory/1616-120-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/3932-144-0x0000000000B80000-0x0000000000B9C000-memory.dmp

Filesize
112KB

Download
memory/5092-78-0x000001DD4AF60000-0x000001DD4AF82000-memory.dmp

Filesize
136KB

Download