Analysis
-
max time kernel
181s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 04:28
Static task
static1
Behavioral task
behavioral1
Sample
321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe
Resource
win10v2004-20220901-en
General
-
Target
321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe
-
Size
172KB
-
MD5
c517194ef951573907186b800ea321c0
-
SHA1
1feb029d3c69d69958b317f8763fdb65d9b2df4d
-
SHA256
321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81
-
SHA512
e8925698d7e32fac5b55fe98d7929a40be08b5cb31dac065cdfa8b65016f64eaef4aa6aa774b9ca733f1c72eabac4b6c87e6cd00c063a51d7e78d7a1651d3057
-
SSDEEP
3072:vwHteez3OtcHeZePIv9FTAxd8uGEnIB6P7K0Q0cNVB81VYrc0t1PbvN8KgCLn2J:/ez3OkkBVFTehI87d0WkBbv12J
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
hfweyjs.exehfweyjs.exepid process 516 hfweyjs.exe 1276 hfweyjs.exe -
Loads dropped DLL 1 IoCs
Processes:
321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exepid process 2032 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
hfweyjs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*svv_e = "C:\\Users\\Admin\\AppData\\Roaming\\hfweyjs.exe" hfweyjs.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run hfweyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svv_e = "C:\\Users\\Admin\\AppData\\Roaming\\hfweyjs.exe" hfweyjs.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce hfweyjs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io -
Suspicious use of SetThreadContext 2 IoCs
Processes:
321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exehfweyjs.exedescription pid process target process PID 2040 set thread context of 2032 2040 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe PID 516 set thread context of 1276 516 hfweyjs.exe hfweyjs.exe -
Drops file in Program Files directory 64 IoCs
Processes:
hfweyjs.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png hfweyjs.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi hfweyjs.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png hfweyjs.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_200_percent.pak hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png hfweyjs.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg hfweyjs.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt hfweyjs.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png hfweyjs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png hfweyjs.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\et.pak hfweyjs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1352 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
hfweyjs.exepid process 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe 1276 hfweyjs.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exehfweyjs.exevssvc.exedescription pid process Token: SeDebugPrivilege 2032 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe Token: SeDebugPrivilege 1276 hfweyjs.exe Token: SeBackupPrivilege 1780 vssvc.exe Token: SeRestorePrivilege 1780 vssvc.exe Token: SeAuditPrivilege 1780 vssvc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exehfweyjs.exehfweyjs.exedescription pid process target process PID 2040 wrote to memory of 2032 2040 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe PID 2040 wrote to memory of 2032 2040 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe PID 2040 wrote to memory of 2032 2040 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe PID 2040 wrote to memory of 2032 2040 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe PID 2040 wrote to memory of 2032 2040 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe PID 2040 wrote to memory of 2032 2040 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe PID 2040 wrote to memory of 2032 2040 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe PID 2040 wrote to memory of 2032 2040 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe PID 2040 wrote to memory of 2032 2040 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe PID 2040 wrote to memory of 2032 2040 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe PID 2032 wrote to memory of 516 2032 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe hfweyjs.exe PID 2032 wrote to memory of 516 2032 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe hfweyjs.exe PID 2032 wrote to memory of 516 2032 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe hfweyjs.exe PID 2032 wrote to memory of 516 2032 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe hfweyjs.exe PID 516 wrote to memory of 1276 516 hfweyjs.exe hfweyjs.exe PID 516 wrote to memory of 1276 516 hfweyjs.exe hfweyjs.exe PID 516 wrote to memory of 1276 516 hfweyjs.exe hfweyjs.exe PID 516 wrote to memory of 1276 516 hfweyjs.exe hfweyjs.exe PID 516 wrote to memory of 1276 516 hfweyjs.exe hfweyjs.exe PID 516 wrote to memory of 1276 516 hfweyjs.exe hfweyjs.exe PID 516 wrote to memory of 1276 516 hfweyjs.exe hfweyjs.exe PID 516 wrote to memory of 1276 516 hfweyjs.exe hfweyjs.exe PID 516 wrote to memory of 1276 516 hfweyjs.exe hfweyjs.exe PID 516 wrote to memory of 1276 516 hfweyjs.exe hfweyjs.exe PID 2032 wrote to memory of 760 2032 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe cmd.exe PID 2032 wrote to memory of 760 2032 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe cmd.exe PID 2032 wrote to memory of 760 2032 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe cmd.exe PID 2032 wrote to memory of 760 2032 321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe cmd.exe PID 1276 wrote to memory of 1352 1276 hfweyjs.exe vssadmin.exe PID 1276 wrote to memory of 1352 1276 hfweyjs.exe vssadmin.exe PID 1276 wrote to memory of 1352 1276 hfweyjs.exe vssadmin.exe PID 1276 wrote to memory of 1352 1276 hfweyjs.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe"C:\Users\Admin\AppData\Local\Temp\321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exeC:\Users\Admin\AppData\Local\Temp\321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81.exe2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\hfweyjs.exeC:\Users\Admin\AppData\Roaming\hfweyjs.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\hfweyjs.exeC:\Users\Admin\AppData\Roaming\hfweyjs.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\321C9E~1.EXE >> NUL3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hfweyjs.exeFilesize
172KB
MD5c517194ef951573907186b800ea321c0
SHA11feb029d3c69d69958b317f8763fdb65d9b2df4d
SHA256321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81
SHA512e8925698d7e32fac5b55fe98d7929a40be08b5cb31dac065cdfa8b65016f64eaef4aa6aa774b9ca733f1c72eabac4b6c87e6cd00c063a51d7e78d7a1651d3057
-
C:\Users\Admin\AppData\Roaming\hfweyjs.exeFilesize
172KB
MD5c517194ef951573907186b800ea321c0
SHA11feb029d3c69d69958b317f8763fdb65d9b2df4d
SHA256321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81
SHA512e8925698d7e32fac5b55fe98d7929a40be08b5cb31dac065cdfa8b65016f64eaef4aa6aa774b9ca733f1c72eabac4b6c87e6cd00c063a51d7e78d7a1651d3057
-
C:\Users\Admin\AppData\Roaming\hfweyjs.exeFilesize
172KB
MD5c517194ef951573907186b800ea321c0
SHA11feb029d3c69d69958b317f8763fdb65d9b2df4d
SHA256321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81
SHA512e8925698d7e32fac5b55fe98d7929a40be08b5cb31dac065cdfa8b65016f64eaef4aa6aa774b9ca733f1c72eabac4b6c87e6cd00c063a51d7e78d7a1651d3057
-
\Users\Admin\AppData\Roaming\hfweyjs.exeFilesize
172KB
MD5c517194ef951573907186b800ea321c0
SHA11feb029d3c69d69958b317f8763fdb65d9b2df4d
SHA256321c9ef63499b2134b32bdbb53fc0aaf917ae0e587aab872e4ad926ca8066c81
SHA512e8925698d7e32fac5b55fe98d7929a40be08b5cb31dac065cdfa8b65016f64eaef4aa6aa774b9ca733f1c72eabac4b6c87e6cd00c063a51d7e78d7a1651d3057
-
memory/516-71-0x0000000000000000-mapping.dmp
-
memory/760-91-0x0000000000000000-mapping.dmp
-
memory/1276-90-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1276-84-0x00000000004258D1-mapping.dmp
-
memory/1276-94-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1352-93-0x0000000000000000-mapping.dmp
-
memory/2032-60-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/2032-58-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/2032-64-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/2032-56-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/2032-55-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/2032-65-0x00000000004258D1-mapping.dmp
-
memory/2032-62-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/2032-92-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/2032-69-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/2032-68-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/2040-54-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB