Analysis
-
max time kernel
159s -
max time network
192s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-09-2021 06:04
Static task
static1
Behavioral task
behavioral1
Sample
461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe
Resource
win10-en-20210920
General
-
Target
461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe
-
Size
3.0MB
-
MD5
8a060daac1e73524a227875e5da6eb3d
-
SHA1
9cd8730422dc2553e028828feb370341da702061
-
SHA256
461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2
-
SHA512
9fee328d96c2c2df6bd9a37c835dd7272215f0952479d56f09d0371375bc758388c96a598319e6e11a3673e270738794177ef0ca9b8b817274b3d5d65eab0d87
Malware Config
Extracted
njrat
0.7d
HacKed
lightcf.ddns.net:1177
f20acdfb6b0a6c02ffcee135dec9d57c
-
reg_key
f20acdfb6b0a6c02ffcee135dec9d57c
-
splitter
|'|'|
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
Server.exejf_crazycf_1_4.exepid process 1492 Server.exe 1144 jf_crazycf_1_4.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
jf_crazycf_1_4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion jf_crazycf_1_4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion jf_crazycf_1_4.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
jf_crazycf_1_4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Wine jf_crazycf_1_4.exe -
Loads dropped DLL 2 IoCs
Processes:
461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exepid process 1976 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe 1976 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\f20acdfb6b0a6c02ffcee135dec9d57c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f20acdfb6b0a6c02ffcee135dec9d57c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
jf_crazycf_1_4.exepid process 1144 jf_crazycf_1_4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008eab7427a81c0c4fa783d262baac04be00000000020000000000106600000001000020000000c5eb2b8d09bddf473d7549a4e608fce8681d82abb3a247dba1b519861d50c414000000000e800000000200002000000004da2d3ffa0c289754c24cd78cf8e43df32ffa68cea827a5d460d7effe522d1a9000000005108ff96ab92b9934f1192845e53bf530fe5e10c2e5b832736b78e33482f36762f8044dfd8f61e6b7727d282e07a27a8d0e5489dd41a6f724026170da8d08678342ef1e2da9b6be30966a5f0e40abb1177bb02d94ac0fe42aeeb219b635f754fd67b3012f101a7f29d6e674ed618ad6e6c61a77bd1197e7906534b9878ada451890e82a0d6101a699b11d4ab027bc6340000000e84454480f7ea527442d1b283b55c4271da4772a747eba54a821b71d4439ac09e4e00e986f19a7c6dd2aaf8af183bbaedf94e1d1676048406620d98fb3b27df8 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339235748" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{46AA3C01-1D0E-11EC-83FC-FEBA24881352} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0902c251bb1d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008eab7427a81c0c4fa783d262baac04be0000000002000000000010660000000100002000000001b1bdd0dfdff3ab5ba877dc68a107d0d35fb3a821dc5428a75200e9142b65ca000000000e8000000002000020000000d1c461b23843ad5d324ad4f48c9b42f05ae740fdd4700abf287be5faaa0c863120000000c7658491dbe980e0e4815393cc1dc6e8f46ae9971bd5d24ca25831c758b0464a40000000aa8fc11889152594218d289875a18bb19e289b3765a56674b1949b00f10124af3234971c4a676b908ae02bcb102f5cc03c9cc9f206ffde5130abb5910e0f503d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jf_crazycf_1_4.exepid process 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe 1144 jf_crazycf_1_4.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
jf_crazycf_1_4.exeServer.exedescription pid process Token: SeDebugPrivilege 1144 jf_crazycf_1_4.exe Token: SeDebugPrivilege 1144 jf_crazycf_1_4.exe Token: SeDebugPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe Token: 33 1492 Server.exe Token: SeIncBasePriorityPrivilege 1492 Server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1512 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1512 iexplore.exe 1512 iexplore.exe 784 IEXPLORE.EXE 784 IEXPLORE.EXE 784 IEXPLORE.EXE 784 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exejf_crazycf_1_4.exeiexplore.exeServer.exedescription pid process target process PID 1976 wrote to memory of 1492 1976 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe Server.exe PID 1976 wrote to memory of 1492 1976 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe Server.exe PID 1976 wrote to memory of 1492 1976 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe Server.exe PID 1976 wrote to memory of 1492 1976 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe Server.exe PID 1976 wrote to memory of 1144 1976 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe jf_crazycf_1_4.exe PID 1976 wrote to memory of 1144 1976 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe jf_crazycf_1_4.exe PID 1976 wrote to memory of 1144 1976 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe jf_crazycf_1_4.exe PID 1976 wrote to memory of 1144 1976 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe jf_crazycf_1_4.exe PID 1144 wrote to memory of 1512 1144 jf_crazycf_1_4.exe iexplore.exe PID 1144 wrote to memory of 1512 1144 jf_crazycf_1_4.exe iexplore.exe PID 1144 wrote to memory of 1512 1144 jf_crazycf_1_4.exe iexplore.exe PID 1144 wrote to memory of 1512 1144 jf_crazycf_1_4.exe iexplore.exe PID 1512 wrote to memory of 784 1512 iexplore.exe IEXPLORE.EXE PID 1512 wrote to memory of 784 1512 iexplore.exe IEXPLORE.EXE PID 1512 wrote to memory of 784 1512 iexplore.exe IEXPLORE.EXE PID 1512 wrote to memory of 784 1512 iexplore.exe IEXPLORE.EXE PID 1492 wrote to memory of 536 1492 Server.exe netsh.exe PID 1492 wrote to memory of 536 1492 Server.exe netsh.exe PID 1492 wrote to memory of 536 1492 Server.exe netsh.exe PID 1492 wrote to memory of 536 1492 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe"C:\Users\Admin\AppData\Local\Temp\461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE3⤵
-
C:\Users\Admin\AppData\Local\Temp\jf_crazycf_1_4.exeC:\Users\Admin\AppData\Local\Temp/jf_crazycf_1_4.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.crazyfrost.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
befaa9afa3eafaa0d28be853e9c3c673
SHA1d1506c61b4f22694be2c0ad78e3b990d90a7e434
SHA256bdc9c240d082a8c550e3fa662e09e3015ac2d77f61b960a7bc1b8b67059f3d2c
SHA512fc812270e3730640a1d53365332c51633ca601b0dbc6d22c04f80cf70979c7e04f1ef9150872e15ae73baf247235bc940f91c11a2f2223af56fdef0292977e39
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a0d11518eee518a2d24ba47c2b6e8770
SHA1ab07ca56c9304ecb7fc81f7f8a366c71a0d47293
SHA256a53ae4524bcf01097019dce7a4b31c970d9734da90bf6c7de65420b30e9c849c
SHA512d30d8a66e294df7da207c1fc8970b56900e62d8592254a5f3e7a06c62054f78008b8d20e6944abd219f4a97b44f66172eab92f99b2228502157728431f5cdcf4
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a0d11518eee518a2d24ba47c2b6e8770
SHA1ab07ca56c9304ecb7fc81f7f8a366c71a0d47293
SHA256a53ae4524bcf01097019dce7a4b31c970d9734da90bf6c7de65420b30e9c849c
SHA512d30d8a66e294df7da207c1fc8970b56900e62d8592254a5f3e7a06c62054f78008b8d20e6944abd219f4a97b44f66172eab92f99b2228502157728431f5cdcf4
-
C:\Users\Admin\AppData\Local\Temp\jf_crazycf_1_4.exeMD5
46191543960191df082176d7ee9e1466
SHA13c40d877d92ee5b44f5ed1df2d383db19c929380
SHA2567978aafb1f8aae0906ca62ff938226711e08dcccc8727f718e49d13aaf6ce220
SHA5124d677f20f5da2f06d31afa71f47a8594508cef6ba7fb5ba8c80a59e33ba06bfc4e6a2a0a193840ee83919074bd2c54db23350de2ffef20114928be5d37cb2084
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CK2ZXTF1.txtMD5
5e4ea7e32e064edff8091f50671909bf
SHA13c18676f9a2f275f13398a0460356f6046bbfc52
SHA2562a5e1b1fa567a59e50d1ce31eb89ba37bb71ea0c24f25912eea8a0530282f1f7
SHA5126e218168e0eba094b95b2b1c53075a18d1d31d185d2d2eea73144e60d0f0f5b9d60abb40dcd528377bdb7a993293f6786b56da5e59441b9870d147db26ff91b5
-
\Users\Admin\AppData\Local\Temp\Server.exeMD5
a0d11518eee518a2d24ba47c2b6e8770
SHA1ab07ca56c9304ecb7fc81f7f8a366c71a0d47293
SHA256a53ae4524bcf01097019dce7a4b31c970d9734da90bf6c7de65420b30e9c849c
SHA512d30d8a66e294df7da207c1fc8970b56900e62d8592254a5f3e7a06c62054f78008b8d20e6944abd219f4a97b44f66172eab92f99b2228502157728431f5cdcf4
-
\Users\Admin\AppData\Local\Temp\jf_crazycf_1_4.exeMD5
46191543960191df082176d7ee9e1466
SHA13c40d877d92ee5b44f5ed1df2d383db19c929380
SHA2567978aafb1f8aae0906ca62ff938226711e08dcccc8727f718e49d13aaf6ce220
SHA5124d677f20f5da2f06d31afa71f47a8594508cef6ba7fb5ba8c80a59e33ba06bfc4e6a2a0a193840ee83919074bd2c54db23350de2ffef20114928be5d37cb2084
-
memory/536-93-0x0000000000000000-mapping.dmp
-
memory/784-91-0x0000000000000000-mapping.dmp
-
memory/1144-68-0x0000000000400000-0x00000000008A6000-memory.dmpFilesize
4.6MB
-
memory/1144-83-0x0000000006D30000-0x0000000006DB5000-memory.dmpFilesize
532KB
-
memory/1144-75-0x00000000044B0000-0x00000000044B1000-memory.dmpFilesize
4KB
-
memory/1144-73-0x0000000004480000-0x0000000004481000-memory.dmpFilesize
4KB
-
memory/1144-78-0x00000000043F0000-0x00000000043F1000-memory.dmpFilesize
4KB
-
memory/1144-77-0x0000000004410000-0x0000000004411000-memory.dmpFilesize
4KB
-
memory/1144-76-0x0000000004450000-0x0000000004451000-memory.dmpFilesize
4KB
-
memory/1144-71-0x0000000004470000-0x0000000004471000-memory.dmpFilesize
4KB
-
memory/1144-69-0x00000000044A0000-0x00000000044A2000-memory.dmpFilesize
8KB
-
memory/1144-65-0x0000000000000000-mapping.dmp
-
memory/1144-79-0x0000000004400000-0x0000000004401000-memory.dmpFilesize
4KB
-
memory/1144-96-0x0000000006E2A000-0x0000000006E3B000-memory.dmpFilesize
68KB
-
memory/1144-82-0x0000000006E60000-0x0000000006EE6000-memory.dmpFilesize
536KB
-
memory/1144-74-0x0000000004490000-0x0000000004491000-memory.dmpFilesize
4KB
-
memory/1144-85-0x0000000006E22000-0x0000000006E23000-memory.dmpFilesize
4KB
-
memory/1144-84-0x0000000006E21000-0x0000000006E22000-memory.dmpFilesize
4KB
-
memory/1144-86-0x0000000006E23000-0x0000000006E24000-memory.dmpFilesize
4KB
-
memory/1144-87-0x0000000006E24000-0x0000000006E26000-memory.dmpFilesize
8KB
-
memory/1144-88-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/1144-95-0x0000000007D40000-0x0000000007D9E000-memory.dmpFilesize
376KB
-
memory/1144-70-0x0000000004420000-0x0000000004422000-memory.dmpFilesize
8KB
-
memory/1144-72-0x00000000043E0000-0x00000000043E1000-memory.dmpFilesize
4KB
-
memory/1492-81-0x0000000002210000-0x0000000002211000-memory.dmpFilesize
4KB
-
memory/1492-62-0x0000000000000000-mapping.dmp
-
memory/1512-90-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmpFilesize
8KB
-
memory/1512-89-0x0000000000000000-mapping.dmp
-
memory/1976-60-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB