njrat | 9b33e4cbdb866cf26e5d30d6929b86f01b21eb9e78996237565ba1e088160893

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7v20201028
submitted
14-12-2020 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aa41422717869166e3c3fca64a6282b.exe
Size

1.2MB
MD5

6aa41422717869166e3c3fca64a6282b
SHA1

cda8fe84bb2841ec7e541651411228e779a81696
SHA256

9b33e4cbdb866cf26e5d30d6929b86f01b21eb9e78996237565ba1e088160893
SHA512

48e25773818f13f14f4183af0273d9ffc2254801323d4351ce5843df2dba3e926c4acc52ede87e0952e7abea27d8199c18f5a73e3e1188451f45ffe24dfffeef

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

magraotm.ddns.net:1177

Mutex

dd3191152a7e6633d26d1d8422e4e214

Attributes

reg_key
dd3191152a7e6633d26d1d8422e4e214
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

cfPT_launcher.exeLammer.exeexplorer.exe

pid process

612 cfPT_launcher.exe
1528 Lammer.exe
1752 explorer.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
612	cfPT_launcher.exe
1528	Lammer.exe
1752	explorer.exe

Drops startup file 2 IoCs

Processes:

explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd3191152a7e6633d26d1d8422e4e214.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd3191152a7e6633d26d1d8422e4e214.exe	explorer.exe

Loads dropped DLL 11 IoCs

Processes:

6aa41422717869166e3c3fca64a6282b.exeLammer.execfPT_launcher.exeexplorer.exe

pid	process
2004	6aa41422717869166e3c3fca64a6282b.exe
2004	6aa41422717869166e3c3fca64a6282b.exe
2004	6aa41422717869166e3c3fca64a6282b.exe
1528	Lammer.exe
1528	Lammer.exe
612	cfPT_launcher.exe
612	cfPT_launcher.exe
612	cfPT_launcher.exe
1528	Lammer.exe
1752	explorer.exe
1752	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\dd3191152a7e6633d26d1d8422e4e214 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dd3191152a7e6633d26d1d8422e4e214 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe\" .."	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

Processes:

cfPT_launcher.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING \cfPT_launcher.exe = "1"	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\z8games.com	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\br.crossfire.z8games.com\ = "18"	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\cfPT_launcher.exe = "11000"	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\z8games.com\Total = "0"	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\cfPT_launcher.exe = "1"	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\cfPT_launcher.exe = "0"	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\z8games.com\Total = "18"	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\z8games.com\NumberOfSubdomains = "1"	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\cfPT_launcher.exe = "0"	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\cfPT_launcher.exe = "1"	cfPT_launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\br.crossfire.z8games.com\ = "0"	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\cfPT_launcher.exe = "1"	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\cfPT_launcher.exe = "0"	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\cfPT_launcher.exe = "0"	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\br.crossfire.z8games.com	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI \cfPT_launcher.exe = "0"	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\cfPT_launcher.exe = "0"	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\cfPT_launcher.exe = "1"	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\cfPT_launcher.exe = "1"	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\cfPT_launcher.exe = "1"	cfPT_launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\cfPT_launcher.exe = "1"	cfPT_launcher.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cfPT_launcher.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb96180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	cfPT_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cfPT_launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	cfPT_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	cfPT_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB	cfPT_launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	cfPT_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cfPT_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cfPT_launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	cfPT_launcher.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeDebugPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe
Token: 33	1752	explorer.exe
Token: SeIncBasePriorityPrivilege	1752	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

6aa41422717869166e3c3fca64a6282b.execfPT_launcher.exe

pid process

2004 6aa41422717869166e3c3fca64a6282b.exe
612 cfPT_launcher.exe
612 cfPT_launcher.exe
612 cfPT_launcher.exe
612 cfPT_launcher.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6aa41422717869166e3c3fca64a6282b.exeLammer.exeexplorer.exe

description	pid	process	target process
PID 2004 wrote to memory of 612	2004	6aa41422717869166e3c3fca64a6282b.exe	cfPT_launcher.exe
PID 2004 wrote to memory of 612	2004	6aa41422717869166e3c3fca64a6282b.exe	cfPT_launcher.exe
PID 2004 wrote to memory of 612	2004	6aa41422717869166e3c3fca64a6282b.exe	cfPT_launcher.exe
PID 2004 wrote to memory of 612	2004	6aa41422717869166e3c3fca64a6282b.exe	cfPT_launcher.exe
PID 2004 wrote to memory of 612	2004	6aa41422717869166e3c3fca64a6282b.exe	cfPT_launcher.exe
PID 2004 wrote to memory of 612	2004	6aa41422717869166e3c3fca64a6282b.exe	cfPT_launcher.exe
PID 2004 wrote to memory of 612	2004	6aa41422717869166e3c3fca64a6282b.exe	cfPT_launcher.exe
PID 2004 wrote to memory of 1528	2004	6aa41422717869166e3c3fca64a6282b.exe	Lammer.exe
PID 2004 wrote to memory of 1528	2004	6aa41422717869166e3c3fca64a6282b.exe	Lammer.exe
PID 2004 wrote to memory of 1528	2004	6aa41422717869166e3c3fca64a6282b.exe	Lammer.exe
PID 2004 wrote to memory of 1528	2004	6aa41422717869166e3c3fca64a6282b.exe	Lammer.exe
PID 2004 wrote to memory of 1528	2004	6aa41422717869166e3c3fca64a6282b.exe	Lammer.exe
PID 2004 wrote to memory of 1528	2004	6aa41422717869166e3c3fca64a6282b.exe	Lammer.exe
PID 2004 wrote to memory of 1528	2004	6aa41422717869166e3c3fca64a6282b.exe	Lammer.exe
PID 1528 wrote to memory of 1752	1528	Lammer.exe	explorer.exe
PID 1528 wrote to memory of 1752	1528	Lammer.exe	explorer.exe
PID 1528 wrote to memory of 1752	1528	Lammer.exe	explorer.exe
PID 1528 wrote to memory of 1752	1528	Lammer.exe	explorer.exe
PID 1528 wrote to memory of 1752	1528	Lammer.exe	explorer.exe
PID 1528 wrote to memory of 1752	1528	Lammer.exe	explorer.exe
PID 1528 wrote to memory of 1752	1528	Lammer.exe	explorer.exe
PID 1752 wrote to memory of 1512	1752	explorer.exe	netsh.exe
PID 1752 wrote to memory of 1512	1752	explorer.exe	netsh.exe
PID 1752 wrote to memory of 1512	1752	explorer.exe	netsh.exe
PID 1752 wrote to memory of 1512	1752	explorer.exe	netsh.exe
PID 1752 wrote to memory of 1512	1752	explorer.exe	netsh.exe
PID 1752 wrote to memory of 1512	1752	explorer.exe	netsh.exe
PID 1752 wrote to memory of 1512	1752	explorer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6aa41422717869166e3c3fca64a6282b.exe
"C:\Users\Admin\AppData\Local\Temp\6aa41422717869166e3c3fca64a6282b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\cfPT_launcher.exe
"C:\Users\Admin\AppData\Local\Temp\cfPT_launcher.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:612

C:\Users\Admin\AppData\Local\Temp\Lammer.exe
"C:\Users\Admin\AppData\Local\Temp\Lammer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Roaming\explorer.exe
"C:\Users\Admin\AppData\Roaming\explorer.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explorer.exe" "explorer.exe" ENABLE
4⤵
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lammer.exe
MD5
ad08ade0dfb42053078f3cf19e7739e3

SHA1
8f132309aae086d4c19e7a1c1d49a67222bc2777

SHA256
7d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd

SHA512
6ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lammer.exe
MD5
ad08ade0dfb42053078f3cf19e7739e3

SHA1
8f132309aae086d4c19e7a1c1d49a67222bc2777

SHA256
7d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd

SHA512
6ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfPT_launcher.exe
MD5
cb1545a63ba5b93f8bf6d9953ad49f2e

SHA1
e98146a123498d431da88a84d8c4bff43849f86e

SHA256
c9d4e7af0f6a5c24c4617fdc35b56f147b11c85afc3f06c7d9dad105c274d104

SHA512
2e099a2bf75000029f08e37d6c95072b25c6506adf6415533d5759b152fbef481ca2f6027e55d24e07f808bc68099e9ba58d76ab585edb55c67735c55a64cb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfPT_launcher.exe
MD5
cb1545a63ba5b93f8bf6d9953ad49f2e

SHA1
e98146a123498d431da88a84d8c4bff43849f86e

SHA256
c9d4e7af0f6a5c24c4617fdc35b56f147b11c85afc3f06c7d9dad105c274d104

SHA512
2e099a2bf75000029f08e37d6c95072b25c6506adf6415533d5759b152fbef481ca2f6027e55d24e07f808bc68099e9ba58d76ab585edb55c67735c55a64cb29

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
MD5
ad08ade0dfb42053078f3cf19e7739e3

SHA1
8f132309aae086d4c19e7a1c1d49a67222bc2777

SHA256
7d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd

SHA512
6ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
MD5
ad08ade0dfb42053078f3cf19e7739e3

SHA1
8f132309aae086d4c19e7a1c1d49a67222bc2777

SHA256
7d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd

SHA512
6ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1

Download Submit
\Users\Admin\AppData\Local\Temp\Lammer.exe
MD5
ad08ade0dfb42053078f3cf19e7739e3

SHA1
8f132309aae086d4c19e7a1c1d49a67222bc2777

SHA256
7d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd

SHA512
6ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1

Download Submit
\Users\Admin\AppData\Local\Temp\Lammer.exe
MD5
ad08ade0dfb42053078f3cf19e7739e3

SHA1
8f132309aae086d4c19e7a1c1d49a67222bc2777

SHA256
7d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd

SHA512
6ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1

Download Submit
\Users\Admin\AppData\Local\Temp\Lammer.exe
MD5
ad08ade0dfb42053078f3cf19e7739e3

SHA1
8f132309aae086d4c19e7a1c1d49a67222bc2777

SHA256
7d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd

SHA512
6ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1

Download Submit
\Users\Admin\AppData\Local\Temp\cfPT_launcher.exe
MD5
cb1545a63ba5b93f8bf6d9953ad49f2e

SHA1
e98146a123498d431da88a84d8c4bff43849f86e

SHA256
c9d4e7af0f6a5c24c4617fdc35b56f147b11c85afc3f06c7d9dad105c274d104

SHA512
2e099a2bf75000029f08e37d6c95072b25c6506adf6415533d5759b152fbef481ca2f6027e55d24e07f808bc68099e9ba58d76ab585edb55c67735c55a64cb29

Download Submit
\Users\Admin\AppData\Local\Temp\cfPT_launcher.exe
MD5
cb1545a63ba5b93f8bf6d9953ad49f2e

SHA1
e98146a123498d431da88a84d8c4bff43849f86e

SHA256
c9d4e7af0f6a5c24c4617fdc35b56f147b11c85afc3f06c7d9dad105c274d104

SHA512
2e099a2bf75000029f08e37d6c95072b25c6506adf6415533d5759b152fbef481ca2f6027e55d24e07f808bc68099e9ba58d76ab585edb55c67735c55a64cb29

Download Submit
\Users\Admin\AppData\Local\Temp\cfPT_launcher.exe
MD5
cb1545a63ba5b93f8bf6d9953ad49f2e

SHA1
e98146a123498d431da88a84d8c4bff43849f86e

SHA256
c9d4e7af0f6a5c24c4617fdc35b56f147b11c85afc3f06c7d9dad105c274d104

SHA512
2e099a2bf75000029f08e37d6c95072b25c6506adf6415533d5759b152fbef481ca2f6027e55d24e07f808bc68099e9ba58d76ab585edb55c67735c55a64cb29

Download Submit
\Users\Admin\AppData\Local\Temp\cfPT_launcher.exe
MD5
cb1545a63ba5b93f8bf6d9953ad49f2e

SHA1
e98146a123498d431da88a84d8c4bff43849f86e

SHA256
c9d4e7af0f6a5c24c4617fdc35b56f147b11c85afc3f06c7d9dad105c274d104

SHA512
2e099a2bf75000029f08e37d6c95072b25c6506adf6415533d5759b152fbef481ca2f6027e55d24e07f808bc68099e9ba58d76ab585edb55c67735c55a64cb29

Download Submit
\Users\Admin\AppData\Local\Temp\cfPT_launcher.exe
MD5
cb1545a63ba5b93f8bf6d9953ad49f2e

SHA1
e98146a123498d431da88a84d8c4bff43849f86e

SHA256
c9d4e7af0f6a5c24c4617fdc35b56f147b11c85afc3f06c7d9dad105c274d104

SHA512
2e099a2bf75000029f08e37d6c95072b25c6506adf6415533d5759b152fbef481ca2f6027e55d24e07f808bc68099e9ba58d76ab585edb55c67735c55a64cb29

Download Submit
\Users\Admin\AppData\Roaming\explorer.exe
MD5
ad08ade0dfb42053078f3cf19e7739e3

SHA1
8f132309aae086d4c19e7a1c1d49a67222bc2777

SHA256
7d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd

SHA512
6ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1

Download Submit
\Users\Admin\AppData\Roaming\explorer.exe
MD5
ad08ade0dfb42053078f3cf19e7739e3

SHA1
8f132309aae086d4c19e7a1c1d49a67222bc2777

SHA256
7d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd

SHA512
6ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1

Download Submit
\Users\Admin\AppData\Roaming\explorer.exe
MD5
ad08ade0dfb42053078f3cf19e7739e3

SHA1
8f132309aae086d4c19e7a1c1d49a67222bc2777

SHA256
7d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd

SHA512
6ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1

Download Submit
memory/612-6-0x0000000000000000-mapping.dmp

Download
memory/1512-27-0x0000000000000000-mapping.dmp

Download
memory/1528-9-0x0000000000000000-mapping.dmp

Download
memory/1728-18-0x000007FEF7B20000-0x000007FEF7D9A000-memory.dmp

Filesize
2.5MB

Download
memory/1752-21-0x0000000000000000-mapping.dmp

Download