461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2

General
Target

461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe

Filesize

3MB

Completed

24-09-2021 06:07

Score
10 /10
MD5

8a060daac1e73524a227875e5da6eb3d

SHA1

9cd8730422dc2553e028828feb370341da702061

SHA256

461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2

Malware Config

Extracted

Family njrat
Version 0.7d
Botnet HacKed
C2

lightcf.ddns.net:1177

Attributes
reg_key
f20acdfb6b0a6c02ffcee135dec9d57c
splitter
|'|'|
Signatures 17

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Executes dropped EXE
    Server.exejf_crazycf_1_4.exe

    Reported IOCs

    pidprocess
    2196Server.exe
    1868jf_crazycf_1_4.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Checks BIOS information in registry
    jf_crazycf_1_4.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionjf_crazycf_1_4.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionjf_crazycf_1_4.exe
  • Checks computer location settings
    jf_crazycf_1_4.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nationjf_crazycf_1_4.exe
  • Identifies Wine through registry keys
    jf_crazycf_1_4.exe

    Description

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Winejf_crazycf_1_4.exe
  • Adds Run key to start application
    Server.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\f20acdfb6b0a6c02ffcee135dec9d57c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."Server.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f20acdfb6b0a6c02ffcee135dec9d57c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."Server.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    jf_crazycf_1_4.exe

    Reported IOCs

    pidprocess
    1868jf_crazycf_1_4.exe
  • Drops file in Windows directory
    MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\rescache\_merged\3720402701\2274612954.priMicrosoftEdge.exe
    File opened for modificationC:\Windows\Debug\ESE.TXTMicrosoftEdge.exe
    File createdC:\Windows\rescache\_merged\3720402701\2274612954.priMicrosoftEdgeCP.exe
    File createdC:\Windows\rescache\_merged\3720402701\2274612954.priMicrosoftEdgeCP.exe
  • Modifies Internet Explorer settings
    MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MainMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Mainbrowser_broker.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MainMicrosoftEdgeCP.exe
  • Modifies registry class
    MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet SettingsMicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrderMicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefixMicrosoftEdgeCP.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000MicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "t8u9ftp"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\RootMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigrationMicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"MicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "339236644"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CertificatesMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPUMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"MicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\CacheMicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsingMicrosoftEdgeCP.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000004a708560e4f547a12c914e1b873b00402ac88a02387e3c2e1948a3017f26ab3253d7ce51cfe0e18144709e1ccebd5511d9e19bd3d5514a9d936d13f242d5cdeb2e6bedb0b744f03faae4b4e086dacd2b55559ce55c213d2e9bdcMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigrationMicrosoftEdge.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsingMicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLsMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageDataMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"MicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"MicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeopleMicrosoftEdge.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658 = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStoreMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"MicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible CacheMicrosoftEdgeCP.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 10b8fe803cb1d701MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLsMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStoreMicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"MicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdgeMicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"MicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"MicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ToolbarMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowserMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"MicrosoftEdge.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000MicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLsMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLsMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\RoamingMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usageMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistryMicrosoftEdge.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigrationMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatusMicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivateMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatusMicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "339270741"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPathMicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"MicrosoftEdge.exe
  • Suspicious behavior: EnumeratesProcesses
    jf_crazycf_1_4.exe

    Reported IOCs

    pidprocess
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
    1868jf_crazycf_1_4.exe
  • Suspicious behavior: MapViewOfSection
    MicrosoftEdgeCP.exe

    Reported IOCs

    pidprocess
    1316MicrosoftEdgeCP.exe
    1316MicrosoftEdgeCP.exe
  • Suspicious use of AdjustPrivilegeToken
    jf_crazycf_1_4.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeServer.exeMicrosoftEdgeCP.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1868jf_crazycf_1_4.exe
    Token: SeDebugPrivilege1868jf_crazycf_1_4.exe
    Token: SeDebugPrivilege4508MicrosoftEdge.exe
    Token: SeDebugPrivilege4508MicrosoftEdge.exe
    Token: SeDebugPrivilege4508MicrosoftEdge.exe
    Token: SeDebugPrivilege4508MicrosoftEdge.exe
    Token: SeDebugPrivilege1716MicrosoftEdgeCP.exe
    Token: SeDebugPrivilege1716MicrosoftEdgeCP.exe
    Token: SeDebugPrivilege1716MicrosoftEdgeCP.exe
    Token: SeDebugPrivilege1716MicrosoftEdgeCP.exe
    Token: SeDebugPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: SeDebugPrivilege4812MicrosoftEdgeCP.exe
    Token: SeDebugPrivilege4812MicrosoftEdgeCP.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
    Token: 332196Server.exe
    Token: SeIncBasePriorityPrivilege2196Server.exe
  • Suspicious use of SetWindowsHookEx
    MicrosoftEdge.exeMicrosoftEdgeCP.exe

    Reported IOCs

    pidprocess
    4508MicrosoftEdge.exe
    1316MicrosoftEdgeCP.exe
    1316MicrosoftEdgeCP.exe
  • Suspicious use of WriteProcessMemory
    461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exeServer.exeMicrosoftEdgeCP.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3688 wrote to memory of 21963688461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exeServer.exe
    PID 3688 wrote to memory of 21963688461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exeServer.exe
    PID 3688 wrote to memory of 21963688461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exeServer.exe
    PID 3688 wrote to memory of 18683688461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exejf_crazycf_1_4.exe
    PID 3688 wrote to memory of 18683688461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exejf_crazycf_1_4.exe
    PID 3688 wrote to memory of 18683688461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exejf_crazycf_1_4.exe
    PID 2196 wrote to memory of 44122196Server.exenetsh.exe
    PID 2196 wrote to memory of 44122196Server.exenetsh.exe
    PID 2196 wrote to memory of 44122196Server.exenetsh.exe
    PID 1316 wrote to memory of 42201316MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe
    PID 1316 wrote to memory of 42201316MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe
    PID 1316 wrote to memory of 42201316MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe
    PID 1316 wrote to memory of 42201316MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe
Processes 11
  • C:\Users\Admin\AppData\Local\Temp\461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe
    "C:\Users\Admin\AppData\Local\Temp\461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe"
    Suspicious use of WriteProcessMemory
    PID:3688
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
        PID:4412
    • C:\Users\Admin\AppData\Local\Temp\jf_crazycf_1_4.exe
      C:\Users\Admin\AppData\Local\Temp/jf_crazycf_1_4.exe
      Executes dropped EXE
      Checks BIOS information in registry
      Checks computer location settings
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1868
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    Drops file in Windows directory
    Modifies Internet Explorer settings
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    PID:4508
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    Modifies Internet Explorer settings
    PID:3140
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    Suspicious behavior: MapViewOfSection
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1316
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    Drops file in Windows directory
    Modifies Internet Explorer settings
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    PID:1716
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    Modifies registry class
    PID:3836
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    Drops file in Windows directory
    Modifies registry class
    PID:4220
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    PID:4812
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri

                      MD5

                      0db264b38ac3c5f6c140ba120a7fe72f

                      SHA1

                      51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

                      SHA256

                      2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

                      SHA512

                      3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

                    • C:\Users\Admin\AppData\Local\Temp\Server.exe

                      MD5

                      a0d11518eee518a2d24ba47c2b6e8770

                      SHA1

                      ab07ca56c9304ecb7fc81f7f8a366c71a0d47293

                      SHA256

                      a53ae4524bcf01097019dce7a4b31c970d9734da90bf6c7de65420b30e9c849c

                      SHA512

                      d30d8a66e294df7da207c1fc8970b56900e62d8592254a5f3e7a06c62054f78008b8d20e6944abd219f4a97b44f66172eab92f99b2228502157728431f5cdcf4

                    • C:\Users\Admin\AppData\Local\Temp\Server.exe

                      MD5

                      a0d11518eee518a2d24ba47c2b6e8770

                      SHA1

                      ab07ca56c9304ecb7fc81f7f8a366c71a0d47293

                      SHA256

                      a53ae4524bcf01097019dce7a4b31c970d9734da90bf6c7de65420b30e9c849c

                      SHA512

                      d30d8a66e294df7da207c1fc8970b56900e62d8592254a5f3e7a06c62054f78008b8d20e6944abd219f4a97b44f66172eab92f99b2228502157728431f5cdcf4

                    • C:\Users\Admin\AppData\Local\Temp\jf_crazycf_1_4.exe

                      MD5

                      46191543960191df082176d7ee9e1466

                      SHA1

                      3c40d877d92ee5b44f5ed1df2d383db19c929380

                      SHA256

                      7978aafb1f8aae0906ca62ff938226711e08dcccc8727f718e49d13aaf6ce220

                      SHA512

                      4d677f20f5da2f06d31afa71f47a8594508cef6ba7fb5ba8c80a59e33ba06bfc4e6a2a0a193840ee83919074bd2c54db23350de2ffef20114928be5d37cb2084

                    • C:\Users\Admin\AppData\Local\Temp\jf_crazycf_1_4.exe

                      MD5

                      46191543960191df082176d7ee9e1466

                      SHA1

                      3c40d877d92ee5b44f5ed1df2d383db19c929380

                      SHA256

                      7978aafb1f8aae0906ca62ff938226711e08dcccc8727f718e49d13aaf6ce220

                      SHA512

                      4d677f20f5da2f06d31afa71f47a8594508cef6ba7fb5ba8c80a59e33ba06bfc4e6a2a0a193840ee83919074bd2c54db23350de2ffef20114928be5d37cb2084

                    • memory/1868-130-0x0000000004990000-0x0000000004991000-memory.dmp

                    • memory/1868-143-0x0000000007158000-0x000000000715A000-memory.dmp

                    • memory/1868-122-0x0000000007160000-0x00000000071E6000-memory.dmp

                    • memory/1868-124-0x0000000000400000-0x00000000008A6000-memory.dmp

                    • memory/1868-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

                    • memory/1868-125-0x00000000049D0000-0x00000000049D1000-memory.dmp

                    • memory/1868-126-0x00000000049A0000-0x00000000049A1000-memory.dmp

                    • memory/1868-127-0x00000000049B0000-0x00000000049B1000-memory.dmp

                    • memory/1868-128-0x00000000049C0000-0x00000000049C1000-memory.dmp

                    • memory/1868-129-0x0000000004970000-0x0000000004971000-memory.dmp

                    • memory/1868-118-0x0000000000000000-mapping.dmp

                    • memory/1868-131-0x0000000004980000-0x0000000004981000-memory.dmp

                    • memory/1868-132-0x0000000007150000-0x0000000007151000-memory.dmp

                    • memory/1868-133-0x00000000070C0000-0x0000000007145000-memory.dmp

                    • memory/1868-134-0x0000000007152000-0x0000000007153000-memory.dmp

                    • memory/1868-135-0x0000000007153000-0x0000000007154000-memory.dmp

                    • memory/1868-136-0x00000000071F0000-0x00000000071F1000-memory.dmp

                    • memory/1868-137-0x0000000007740000-0x0000000007741000-memory.dmp

                    • memory/1868-139-0x0000000004F90000-0x0000000004F91000-memory.dmp

                    • memory/1868-138-0x0000000007154000-0x0000000007156000-memory.dmp

                    • memory/1868-140-0x0000000007910000-0x0000000007911000-memory.dmp

                    • memory/1868-142-0x0000000008770000-0x00000000087CE000-memory.dmp

                    • memory/2196-121-0x0000000002C50000-0x0000000002C51000-memory.dmp

                    • memory/2196-115-0x0000000000000000-mapping.dmp

                    • memory/4412-141-0x0000000000000000-mapping.dmp