Overview
overview
10Static
static
Woxy 3.0 [...to.dll
windows7_x64
1Woxy 3.0 [...to.dll
windows10_x64
1Woxy 3.0 [...le.dll
windows7_x64
1Woxy 3.0 [...le.dll
windows10_x64
1Woxy 3.0 [...es.dll
windows7_x64
1Woxy 3.0 [...es.dll
windows10_x64
1Woxy 3.0 [...it.dll
windows7_x64
1Woxy 3.0 [...it.dll
windows10_x64
1Woxy 3.0 [...it.dll
windows7_x64
1Woxy 3.0 [...it.dll
windows10_x64
1Woxy 3.0 [...on.dll
windows7_x64
1Woxy 3.0 [...on.dll
windows10_x64
1Woxy 3.0 [...x].exe
windows7_x64
10Woxy 3.0 [...x].exe
windows10_x64
10Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
18-10-2021 10:00
Static task
static1
Behavioral task
behavioral1
Sample
Woxy 3.0 [Crack.sx]/BouncyCastle.Crypto.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Woxy 3.0 [Crack.sx]/BouncyCastle.Crypto.dll
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Woxy 3.0 [Crack.sx]/Colorful.Console.dll
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
Woxy 3.0 [Crack.sx]/Colorful.Console.dll
Resource
win10-en-20210920
Behavioral task
behavioral5
Sample
Woxy 3.0 [Crack.sx]/ConsoleTables.dll
Resource
win7-en-20211014
Behavioral task
behavioral6
Sample
Woxy 3.0 [Crack.sx]/ConsoleTables.dll
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
Woxy 3.0 [Crack.sx]/MailKit.dll
Resource
win7-en-20211014
Behavioral task
behavioral8
Sample
Woxy 3.0 [Crack.sx]/MailKit.dll
Resource
win10-en-20210920
Behavioral task
behavioral9
Sample
Woxy 3.0 [Crack.sx]/MimeKit.dll
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
Woxy 3.0 [Crack.sx]/MimeKit.dll
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
Woxy 3.0 [Crack.sx]/Newtonsoft.Json.dll
Resource
win7-en-20210920
Behavioral task
behavioral12
Sample
Woxy 3.0 [Crack.sx]/Newtonsoft.Json.dll
Resource
win10-en-20211014
Behavioral task
behavioral13
Sample
Woxy 3.0 [Crack.sx]/Woxy 3.0 [Crack.sx].exe
Resource
win7-en-20210920
General
-
Target
Woxy 3.0 [Crack.sx]/Woxy 3.0 [Crack.sx].exe
-
Size
776KB
-
MD5
5afd70d54cc4af7f236894d674842493
-
SHA1
6565657adebd3063ba85886e551e551b0bbd6fdb
-
SHA256
8b79e79f75578ab62d83e89b6bfaf5404fa868041b880995579f3cd6ae6f995e
-
SHA512
6fa7daafcd661d873bae7e092fab5c89f8a56978003d31b3b91eabc735e50ecc01b8e90f90fbcec193c0656f134b6ce69c98825cfbaeaa07a536ddc5eea641fa
Malware Config
Extracted
njrat
Carbonblack2102
batvoi
1368.vnh.wtf:5552
0de45b5c6627a3e65a4b2a1e68ec841b
-
reg_key
0de45b5c6627a3e65a4b2a1e68ec841b
-
splitter
|'|'|
Signatures
-
Taurus Stealer Payload 6 IoCs
Processes:
resource yara_rule behavioral13/memory/848-100-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral13/memory/848-101-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral13/memory/848-102-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral13/memory/848-103-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral13/memory/848-104-0x000000000041CEE8-mapping.dmp family_taurus_stealer behavioral13/memory/848-106-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer -
Executes dropped EXE 4 IoCs
Processes:
WMI PERFORMANCE REVERSE ADAPTER.EXEWMI PERFORMANCE REVERSE ADPIRE.EXEWOXY 3.0 [CRACK.SX].EXEWMI Performance Reverse Adapters.exepid process 1776 WMI PERFORMANCE REVERSE ADAPTER.EXE 664 WMI PERFORMANCE REVERSE ADPIRE.EXE 1196 WOXY 3.0 [CRACK.SX].EXE 1940 WMI Performance Reverse Adapters.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
WMI Performance Reverse Adapters.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0de45b5c6627a3e65a4b2a1e68ec841b.exe WMI Performance Reverse Adapters.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0de45b5c6627a3e65a4b2a1e68ec841b.exe WMI Performance Reverse Adapters.exe -
Loads dropped DLL 9 IoCs
Processes:
Woxy 3.0 [Crack.sx].exeWerFault.exeWMI PERFORMANCE REVERSE ADAPTER.EXEpid process 1356 Woxy 3.0 [Crack.sx].exe 1356 Woxy 3.0 [Crack.sx].exe 1356 Woxy 3.0 [Crack.sx].exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1776 WMI PERFORMANCE REVERSE ADAPTER.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WMI Performance Reverse Adapters.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\0de45b5c6627a3e65a4b2a1e68ec841b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMI Performance Reverse Adapters.exe\" .." WMI Performance Reverse Adapters.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0de45b5c6627a3e65a4b2a1e68ec841b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMI Performance Reverse Adapters.exe\" .." WMI Performance Reverse Adapters.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WMI PERFORMANCE REVERSE ADPIRE.EXEdescription pid process target process PID 664 set thread context of 848 664 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1416 1196 WerFault.exe WOXY 3.0 [CRACK.SX].EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1416 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
WMI PERFORMANCE REVERSE ADPIRE.EXEWerFault.exeWMI Performance Reverse Adapters.exedescription pid process Token: SeDebugPrivilege 664 WMI PERFORMANCE REVERSE ADPIRE.EXE Token: SeDebugPrivilege 1416 WerFault.exe Token: SeDebugPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe Token: 33 1940 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 1940 WMI Performance Reverse Adapters.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
Woxy 3.0 [Crack.sx].exeWOXY 3.0 [CRACK.SX].EXEWMI PERFORMANCE REVERSE ADAPTER.EXEWMI Performance Reverse Adapters.exeWMI PERFORMANCE REVERSE ADPIRE.EXEdescription pid process target process PID 1356 wrote to memory of 1776 1356 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 1356 wrote to memory of 1776 1356 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 1356 wrote to memory of 1776 1356 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 1356 wrote to memory of 1776 1356 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 1356 wrote to memory of 664 1356 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 1356 wrote to memory of 664 1356 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 1356 wrote to memory of 664 1356 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 1356 wrote to memory of 664 1356 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 1356 wrote to memory of 1196 1356 Woxy 3.0 [Crack.sx].exe WOXY 3.0 [CRACK.SX].EXE PID 1356 wrote to memory of 1196 1356 Woxy 3.0 [Crack.sx].exe WOXY 3.0 [CRACK.SX].EXE PID 1356 wrote to memory of 1196 1356 Woxy 3.0 [Crack.sx].exe WOXY 3.0 [CRACK.SX].EXE PID 1356 wrote to memory of 1196 1356 Woxy 3.0 [Crack.sx].exe WOXY 3.0 [CRACK.SX].EXE PID 1196 wrote to memory of 1416 1196 WOXY 3.0 [CRACK.SX].EXE WerFault.exe PID 1196 wrote to memory of 1416 1196 WOXY 3.0 [CRACK.SX].EXE WerFault.exe PID 1196 wrote to memory of 1416 1196 WOXY 3.0 [CRACK.SX].EXE WerFault.exe PID 1196 wrote to memory of 1416 1196 WOXY 3.0 [CRACK.SX].EXE WerFault.exe PID 1776 wrote to memory of 1940 1776 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 1776 wrote to memory of 1940 1776 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 1776 wrote to memory of 1940 1776 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 1776 wrote to memory of 1940 1776 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 1940 wrote to memory of 1936 1940 WMI Performance Reverse Adapters.exe netsh.exe PID 1940 wrote to memory of 1936 1940 WMI Performance Reverse Adapters.exe netsh.exe PID 1940 wrote to memory of 1936 1940 WMI Performance Reverse Adapters.exe netsh.exe PID 1940 wrote to memory of 1936 1940 WMI Performance Reverse Adapters.exe netsh.exe PID 664 wrote to memory of 848 664 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 664 wrote to memory of 848 664 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 664 wrote to memory of 848 664 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 664 wrote to memory of 848 664 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 664 wrote to memory of 848 664 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 664 wrote to memory of 848 664 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 664 wrote to memory of 848 664 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 664 wrote to memory of 848 664 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 664 wrote to memory of 848 664 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 664 wrote to memory of 848 664 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Woxy 3.0 [Crack.sx]\Woxy 3.0 [Crack.sx].exe"C:\Users\Admin\AppData\Local\Temp\Woxy 3.0 [Crack.sx]\Woxy 3.0 [Crack.sx].exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXE"C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe"C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe" "WMI Performance Reverse Adapters.exe" ENABLE4⤵
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXE"C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXE"C:\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 5963⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXEMD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXEMD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXEMD5
5375abc86290f5c3ffa86d4129e4bd27
SHA1a1a3b2165549bd4c34985d3a230f8304202926ab
SHA256c499e93433a8ff462799108ac5462ce05fa93bf716f3723fbccb7ff13dbebb9f
SHA512f951acf23e5576fae983fd805a32eebea95966c74ffffd99bbd6de17d2e5db0db9b282c242d00e5515b4d67d885f09c749fae09aece26275f17f0d20670b6709
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXEMD5
5375abc86290f5c3ffa86d4129e4bd27
SHA1a1a3b2165549bd4c34985d3a230f8304202926ab
SHA256c499e93433a8ff462799108ac5462ce05fa93bf716f3723fbccb7ff13dbebb9f
SHA512f951acf23e5576fae983fd805a32eebea95966c74ffffd99bbd6de17d2e5db0db9b282c242d00e5515b4d67d885f09c749fae09aece26275f17f0d20670b6709
-
C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exeMD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exeMD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
C:\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXEMD5
7750a6691f29ecb236c82e0e6c082625
SHA18f4612f45d417f5db5f577687dd9be2131f7aa65
SHA256464375a7177f6500882be8fea8660b82be9669b16b86f700f79bf5334817afbf
SHA512645c96b8028fbacc853075792c7e728a7b293f42fe47fbc2ddf7fba9cebf0beab731314defcbc0bb12a16e7898a558979dba5bbd1d687713eb1a73a17908143f
-
C:\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXEMD5
7750a6691f29ecb236c82e0e6c082625
SHA18f4612f45d417f5db5f577687dd9be2131f7aa65
SHA256464375a7177f6500882be8fea8660b82be9669b16b86f700f79bf5334817afbf
SHA512645c96b8028fbacc853075792c7e728a7b293f42fe47fbc2ddf7fba9cebf0beab731314defcbc0bb12a16e7898a558979dba5bbd1d687713eb1a73a17908143f
-
\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXEMD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXEMD5
5375abc86290f5c3ffa86d4129e4bd27
SHA1a1a3b2165549bd4c34985d3a230f8304202926ab
SHA256c499e93433a8ff462799108ac5462ce05fa93bf716f3723fbccb7ff13dbebb9f
SHA512f951acf23e5576fae983fd805a32eebea95966c74ffffd99bbd6de17d2e5db0db9b282c242d00e5515b4d67d885f09c749fae09aece26275f17f0d20670b6709
-
\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exeMD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXEMD5
7750a6691f29ecb236c82e0e6c082625
SHA18f4612f45d417f5db5f577687dd9be2131f7aa65
SHA256464375a7177f6500882be8fea8660b82be9669b16b86f700f79bf5334817afbf
SHA512645c96b8028fbacc853075792c7e728a7b293f42fe47fbc2ddf7fba9cebf0beab731314defcbc0bb12a16e7898a558979dba5bbd1d687713eb1a73a17908143f
-
\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXEMD5
7750a6691f29ecb236c82e0e6c082625
SHA18f4612f45d417f5db5f577687dd9be2131f7aa65
SHA256464375a7177f6500882be8fea8660b82be9669b16b86f700f79bf5334817afbf
SHA512645c96b8028fbacc853075792c7e728a7b293f42fe47fbc2ddf7fba9cebf0beab731314defcbc0bb12a16e7898a558979dba5bbd1d687713eb1a73a17908143f
-
\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXEMD5
7750a6691f29ecb236c82e0e6c082625
SHA18f4612f45d417f5db5f577687dd9be2131f7aa65
SHA256464375a7177f6500882be8fea8660b82be9669b16b86f700f79bf5334817afbf
SHA512645c96b8028fbacc853075792c7e728a7b293f42fe47fbc2ddf7fba9cebf0beab731314defcbc0bb12a16e7898a558979dba5bbd1d687713eb1a73a17908143f
-
\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXEMD5
7750a6691f29ecb236c82e0e6c082625
SHA18f4612f45d417f5db5f577687dd9be2131f7aa65
SHA256464375a7177f6500882be8fea8660b82be9669b16b86f700f79bf5334817afbf
SHA512645c96b8028fbacc853075792c7e728a7b293f42fe47fbc2ddf7fba9cebf0beab731314defcbc0bb12a16e7898a558979dba5bbd1d687713eb1a73a17908143f
-
\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXEMD5
7750a6691f29ecb236c82e0e6c082625
SHA18f4612f45d417f5db5f577687dd9be2131f7aa65
SHA256464375a7177f6500882be8fea8660b82be9669b16b86f700f79bf5334817afbf
SHA512645c96b8028fbacc853075792c7e728a7b293f42fe47fbc2ddf7fba9cebf0beab731314defcbc0bb12a16e7898a558979dba5bbd1d687713eb1a73a17908143f
-
\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXEMD5
7750a6691f29ecb236c82e0e6c082625
SHA18f4612f45d417f5db5f577687dd9be2131f7aa65
SHA256464375a7177f6500882be8fea8660b82be9669b16b86f700f79bf5334817afbf
SHA512645c96b8028fbacc853075792c7e728a7b293f42fe47fbc2ddf7fba9cebf0beab731314defcbc0bb12a16e7898a558979dba5bbd1d687713eb1a73a17908143f
-
memory/664-60-0x0000000000000000-mapping.dmp
-
memory/664-67-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/664-97-0x0000000000560000-0x0000000000566000-memory.dmpFilesize
24KB
-
memory/664-76-0x0000000000540000-0x0000000000559000-memory.dmpFilesize
100KB
-
memory/664-84-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/664-74-0x00000000004D0000-0x0000000000510000-memory.dmpFilesize
256KB
-
memory/848-98-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/848-104-0x000000000041CEE8-mapping.dmp
-
memory/848-106-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/848-100-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/848-103-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/848-102-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/848-101-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/848-99-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1196-75-0x0000000001080000-0x0000000001081000-memory.dmpFilesize
4KB
-
memory/1196-70-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/1196-73-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/1196-64-0x0000000000000000-mapping.dmp
-
memory/1356-54-0x0000000076A81000-0x0000000076A83000-memory.dmpFilesize
8KB
-
memory/1416-77-0x0000000000000000-mapping.dmp
-
memory/1416-85-0x00000000021C0000-0x00000000021DC000-memory.dmpFilesize
112KB
-
memory/1776-56-0x0000000000000000-mapping.dmp
-
memory/1776-68-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1936-93-0x0000000000000000-mapping.dmp
-
memory/1940-88-0x0000000000000000-mapping.dmp
-
memory/1940-96-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/1940-91-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB