ardamax | 5f18bb0f631ece3d136c9c88b3c61df50dc8b9dac39babd0c7ee178f4b591eae

Analysis

max time kernel
140s
max time network
130s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VIP Forum.exe
Size

1.1MB
MD5

162c35f014cea15fc17213ec5d8a0b60
SHA1

df9a5575d5859a9327afe825ea6872dd04647fdf
SHA256

b8dfba0af9b771758e4327ccca83dc76e1708d7e7930437502eb4d813e619f12
SHA512

0aa6a09655e5a7eec90bdba3cced5ec129baf58d1c0de8ce0e77fb3b3b2648ff55934739e24cd2dd6aa469e5f18177deddb0ddc6a1d4d14822431bb78c107b36
SSDEEP

24576:KkQ0C7B36r7vtAfEPCp6iCXGJjYoFt7AsrFwlcVq2ULMH:K5BKdAcySXGzFNAMmcpULMH

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral3/files/0x0006000000016dc8-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2560	MKMP.exe
2152	Snuterz.exe

Loads dropped DLL 11 IoCs

pid	Process
1692	VIP Forum.exe
1692	VIP Forum.exe
1692	VIP Forum.exe
1692	VIP Forum.exe
2560	MKMP.exe
2152	Snuterz.exe
2560	MKMP.exe
2152	Snuterz.exe
2152	Snuterz.exe
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MKMP Agent = "C:\\Windows\\SysWOW64\\28463\\MKMP.exe"	MKMP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\MKMP.006	VIP Forum.exe
File created	C:\Windows\SysWOW64\28463\MKMP.007	VIP Forum.exe
File created	C:\Windows\SysWOW64\28463\MKMP.exe	VIP Forum.exe
File created	C:\Windows\SysWOW64\28463\key.bin	VIP Forum.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	VIP Forum.exe
File opened for modification	C:\Windows\SysWOW64\28463	MKMP.exe
File created	C:\Windows\SysWOW64\28463\MKMP.001	VIP Forum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VIP Forum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MKMP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Snuterz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd000000000200000000001066000000010000200000002d52d9ad17eef34ad8f6a8df624c2b8eaa8b8eb157f8dd101875d68899e4d585000000000e8000000002000020000000f1a28c1b1a2b7f79e88930818feae3be2d21ee668e878fc63c0107fddbd72d3320000000f04979faab094a82741176b38c9198810cf4876bcf97f0c4d7090048fede01624000000022aa83f5becd3cc324896497a854b353154430b8cb1878719691abc05e87cf224bc5f068c7473d59d92408646f00841a1da2c92a3f51afd21b2a3117a174d74b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20109e211bf5da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430551816"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4A509C41-610E-11EF-ABC7-72E825B5BD5B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd00000000020000000000106600000001000020000000c5243c6bc8a9971f4b5c0bbab49fd13106c5796a73cefc1b0f4b410c3d972da1000000000e800000000200002000000056494a44ed0624378dbd7ecf628b6478faf51e3bf311bbb7b8c50df918a935f490000000f1971415d529ff6dafdf1787d6b9addd9fa7e7685bb1c6524e778ede37e8f81e525ca7d2f4e1d09642a06c4d5210d3ab3f9ca537f5a19e6ef1f989dd0a9fb4eb736189920eceb293534260cb6703751fe4c94b1e51d9e8adecd3ab99bf60876f203f11ec7cf9e6495aa8f8220f2221383cece27f8baf96f68ca4f7ffdfb7d455d9818ce3f62308d5c666636919e9b10940000000573a17e85802e48e7536682feed25449a49769aeeb032bcda956800d9c5a772672dfb77f5233cbb9040b89e36f4a79acb71fa1c402f25db3882fbfd168a8bdb6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}\1.0\	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}\1.0\0\	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}\1.0\0\win64\	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\InprocServer32\	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\ProgID\	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}\	MKMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}\1.0\0\win64	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\Version\	MKMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\VersionIndependentProgID	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\ = "Iziwa.Agezahe.Kikiqi class"	MKMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}	MKMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}\1.0\0	MKMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}	MKMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}\1.0	MKMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\TypeLib	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}\1.0\0\win64\ = "C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\elevation_service.exe"	MKMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\Version	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\VersionIndependentProgID\ = "IAS.SHV"	MKMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\InprocServer32	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}\1.0\0\win32\	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}\1.0\0\win32\ = "C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\elevation_service.exe"	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\VersionIndependentProgID\	MKMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\ProgID	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\ProgID\ = "IAS.SHV.1"	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\Version\ = "1.0"	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\TypeLib\	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\TypeLib\ = "{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}"	MKMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94BD3D2-68DA-49CB-1EB2-80497F102965}\InprocServer32\ = "%SystemRoot%\\SysWow64\\iasnap.dll"	MKMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A0BAA7F-8AE7-1897-FE4B-0B559B598914}\1.0\0\win32	MKMP.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2560	MKMP.exe
Token: SeIncBasePriorityPrivilege	2560	MKMP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2632	iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2152	Snuterz.exe
2152	Snuterz.exe
2560	MKMP.exe
2560	MKMP.exe
2560	MKMP.exe
2560	MKMP.exe
2560	MKMP.exe
2632	iexplore.exe
2632	iexplore.exe
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2560	1692	VIP Forum.exe	30
PID 1692 wrote to memory of 2560	1692	VIP Forum.exe	30
PID 1692 wrote to memory of 2560	1692	VIP Forum.exe	30
PID 1692 wrote to memory of 2560	1692	VIP Forum.exe	30
PID 1692 wrote to memory of 2152	1692	VIP Forum.exe	31
PID 1692 wrote to memory of 2152	1692	VIP Forum.exe	31
PID 1692 wrote to memory of 2152	1692	VIP Forum.exe	31
PID 1692 wrote to memory of 2152	1692	VIP Forum.exe	31
PID 2152 wrote to memory of 2632	2152	Snuterz.exe	32
PID 2152 wrote to memory of 2632	2152	Snuterz.exe	32
PID 2152 wrote to memory of 2632	2152	Snuterz.exe	32
PID 2152 wrote to memory of 2632	2152	Snuterz.exe	32
PID 2632 wrote to memory of 2604	2632	iexplore.exe	33
PID 2632 wrote to memory of 2604	2632	iexplore.exe	33
PID 2632 wrote to memory of 2604	2632	iexplore.exe	33
PID 2632 wrote to memory of 2604	2632	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\VIP Forum.exe
"C:\Users\Admin\AppData\Local\Temp\VIP Forum.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\28463\MKMP.exe
  "C:\Windows\system32\28463\MKMP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\Snuterz.exe
  "C:\Users\Admin\AppData\Local\Temp\Snuterz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://reza-belive.blogspot.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2632 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
3745bddbbe2f1a8ea7ab587ecf91821f

SHA1
c6bdc9648bdec0da7514b01f5a94c8cb94939a97

SHA256
9f0b3758ba6df4f230050dad70c51b00cf79e792f1ef13e6559e509c8a42a723

SHA512
ab2dce4e63fbdfd06c336ed593e4531947bf6a9fedec92862d40870ec00580d16fe9f20db34a000b2de10aa29f5a3d91fc17553fa94f2015ea2321cfbd8b7ffa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
970ca1342e44a3efcde44d85843b17bc

SHA1
ff0cb74cb4de28310e1b55739c278c3a93be5fe9

SHA256
127de122166466d3ad84603c6dd8393e0a008f511415f701a96a529670a6985f

SHA512
1df5bb359a628922e7469841645dab21e8c4c8babbcb094be4e8f644d3cfd5837c596a8d47ab4dd920e567ba0724b57c0f34f2848a803cf93562f5d3a72587be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d4cc80cc594c6bde47e1ac81737cd2e5

SHA1
90df3eda7421c8448ac3a6438ca85f8900c75354

SHA256
12e252fcf7c708090f9fdb2e7dd4465bfd68b44053eabe049cc59314893358c2

SHA512
2152d8cb472a41e121e5560f55c844fc20ff8b1484185d8b082a6382ab4c755ffa8fd8ed2c21410e030e93dbf797d92ce2948b106883ca79e74f2efa7e0f919c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b415f87c8c26f61e9465efe883c6da14

SHA1
4782993dc74b552c3928b02a87907350e61d6d6a

SHA256
5009c7e5805bbe0d1a3e036989d80783f14a1500bf5368558ef282769d9baf14

SHA512
61fb24e01c9bedf4ab0660c6cddba8db8946280206aba630c09fb292fb6e0bd797b95d2a1b8d3ea2d7521e1fb3b580f21b03ee058a6694ffe5e7e41379966b38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a7f46cef0abd9bf4b2edb066db78a34

SHA1
32e58a9330ba2be7e11fa602e6749e0892588c23

SHA256
03e7f8ce51bda69791a983b4496be3583dfe03be71726950959562398e115b8b

SHA512
5e809eeb85821a52087f0b11a5e288baa1e152df4245fd7b52fb1f0b63f025b263c18ffc2cc179dfd9629dd8bdc0c58bb9629b32a4b324c80638403be0151b55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ffcfd944be80d1c2a206cb687ca92c9

SHA1
b20ef89d31fcaf38b4c4cd31624f3fe3fc514395

SHA256
38639021908c43e0a73599a459b9a63ce5269f03d2821d7f308368b9da90dc14

SHA512
3f1486f99eac76bc6930f032d6eb352646c5910c94dec497fd36a39dec0c20344e603a2a2d427799f1257b8f15738280f515a86afc71d81521f18d7477a2ea54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87fe61910f95eca8b0636144f88cdeeb

SHA1
c5054683b5c3eac42d82b5a6d4645b05c6baf5b0

SHA256
6586be65238366f58febf3e00997218231cf5538961baf5c68be424efd89636a

SHA512
a2683ffea61b1893de998c7aa76c2287930bb414c2fdaffcd5ea7d87badf8b768d2358ced0478a2ddbddd91e7e8dec4c6e9dce89df63b8125557c045aa2c573d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90e9c1659b622be84db0091da2bf98ae

SHA1
fd5b4f7f8946710a495b1f9c6e580a83ae79926f

SHA256
52a92456a56d7ad767f747e5d749028519d5f9c1ee377f74df027627d31ffdb0

SHA512
b57c50f500f1c3178d3b6500d1d6c05fd392ac6bcfaf0e5e9b4802838fb38f79c71deaafe993704f169ffb912886351c436cf3662ab76bf82f72ee5be08cd792

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8054470dd410962253a833124b05c2f

SHA1
39d32d30be714787cd0c83d778d8bb723aee03ed

SHA256
cd40915a9147f64a52e069218f35397c573dd07a6bb001302328932d8016c942

SHA512
0a1c3fe82e3cbb1aa9cf6bd2b3bc3043b34c7cfb576f4d0b0790a64dfe81a8a7a683af5584753f858487de87bd875778b3cdd19fc0a1ef945d8068a35c410d02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
365f7e86d0047c2500a4cd4eb0d0c737

SHA1
0dc35495a6858355e16e01ab414ce1b5b2aa351c

SHA256
bf7a1e899ece1b1e72fceff26944445da525db56735219edeebdd2e5ef0fe223

SHA512
42f114bc7d2d5bfffd59b463abe768dbd0514e57e45a88cd3cd363f461221d78e3730e9de576caaa5d0cf6c4ca96ea3d2dc1a7a7ab02fc3421601087410e9954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44c8e4831c5bb6dcb6e9f1da608c0611

SHA1
caf6184f0d731f7ea1c4ac6fa9bec567c89e4a91

SHA256
cff8c7040beccc0e2e81087f423d2a8eefc60fd8389e7e5707ada58611e8d529

SHA512
7f02847d12e5fb7a13e4ef69f6f24b12770f6961f6224ed1962594f99d4fa58c6c1747d3b2ae7bdc7d64d397fc685d8bde295b465bf45a001224cd1a8880b0c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d80207aea9644e2d4937c3a69e843ff3

SHA1
8ff1db93abf3a1d4f7898fbbc30e639349fc86ef

SHA256
b09155bf26680c7fa6dc033ab69db21f5a81c06516314cd8a700e1e0486d0fe3

SHA512
3a154a731f14070f510d9acda14ecc856458ab07ce907f6311d82436adb19f886df76049f0245deb06db3a4eedd3a78b5a448fce6a078829d3a1da2674ff681a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1f6c3a7d2c7aea715d3e295e314ad22

SHA1
d03e898d579356350a91fecbeb105431d03dac5a

SHA256
06e1c0c75e6e0462c21ab9ba86c91f841b3ef93b9836de0ac11c0f560faaf7c0

SHA512
c08930449373cb7396e3e12cc5e9e51317d626c8ee64ff70f4b4bae651fcd4965b79ccaf4efe31ff456382377708595fb280f51d80414617593177b713e5e758

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6999e1d1044800880db8a027b17d13b

SHA1
d01ba65c58c59a5f37575f8aa4d21250855e1c20

SHA256
4b87e95195642a1cd49966d5f25edb15b7ce27b0e7e0c4c5df8ffa435a8fc54d

SHA512
7a13eae9519fb341c60a02a62b9177d32773398b5eef324f09f6bcfb2cc37bd5c4ecc52feaabc2f9753812325c78d8829da287939108250450b9a0072915fd65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b748a03365aac43095fc5d27b5445e2

SHA1
3411a36bc747c6f8f45f93b74991b8da3ff75c13

SHA256
f83a569971d02d740b29aa7c045c2a3254cb4a5064300f189a528ca823f08ca2

SHA512
e2459acd1cea63631c3a56f450f005302a341278a360d78334823558e8dd5d50760eeaa3a5999ae84ec8249f039ea84605310c14a167dec5ca154099b86c2a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68b1060239789d8d6021c83b4fa123cf

SHA1
99f35b3a2f40883b19a1a8b080b478173ff11a3a

SHA256
d77b03146a14077e4965ac578f7a549066e8a625f6dba8ca54a5b18d1b57799b

SHA512
37efe036e7c7e9396d98cf61357f3d7d8bd2b649779202b622bffecb44ab2394cfe78fcdffa28c0430e6a632d165a65cee6513e24b05b787db02be5b66b3c073

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
474ebc2126ba2c243c4f964512f07775

SHA1
f22b380617cdc9ee5ab0c3bf869ac02a5083a29f

SHA256
44c77617d7fac4298f06c4ec2dac43b5fcebae3b1e3da51690e8bc0f94fc1066

SHA512
38ccc40f96cfc74d9e13955604dab9b3c223460a0329da09dd5bd9b9009f32daec96ba9b876fa8d4858ce84065c94f3d1eda02b1d3cf578e7fcb826f0e5177d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92f2d98f2d6d3a0b5a649d4a6a900296

SHA1
d63836a97133c6ea8180423d7fb9b5ec33eac990

SHA256
e92be8c0fcc9fbbf50b54a79592b9f3ea63cd3de5a587d05767786fa60875490

SHA512
eebfae7c1d0a5b0b46e13ce9c2dbf2f57373d458828d6fa8f93383c6a3cafd4ebd8f9a23e1a7484ecd90eba7233f8ceb86a173f5c17f157fd1b1b8649da4f349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5428b64e86a059f954302eff92336a72

SHA1
6cd60d540ab666182ce94e7fe9d7d4313e83b0b2

SHA256
56b1533d59405ea7883cb9cea4e3aa662d62d39f4bc079e18e766c7f8a5ad8c1

SHA512
8f40d5ab3777b77a3a58123d5d822ea7fcb75357865cf1508ffb08037c69494cff42a4326c89359a987270b004ac901b7ccc559a052b0765bf16648dc03ea716

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feb9732d1fc39a1b8fc76efec40a5426

SHA1
c458b8ee0e3b76869bc133f4307d95b3c35f35d2

SHA256
4d2229b1276b8a8ed99f05c626e7a2c956d9155776ad2351cadf401581b80dc6

SHA512
af405f67c087e1e94616d3e2a1f5a54a0b3ec8f66a55395b008513c5c8d95374b2cc19234b7886ecabb12da73754ba83d7777c8018368ac0b2ee68d2024818ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_147AB4536A182B9FCE88E194D59F3B22

Filesize
402B

MD5
775af411d7263ac874ce5cfeda452d1d

SHA1
1c06781744b8c7857f2afcc8a3a6995091c34ff0

SHA256
2ca7ab1a8658e5b2afcd845f459ba3988d2fdacb33adc1ce6e1fa51068f2c9cd

SHA512
9e09294d7aaf9c726812537147ba8eb4aeab491c275b0b9453c7c0921264e42595474e8b1dbb39099e73f291e1583914a26ea4a71cedb2c0bfca002e314959a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5d9a737b313245bef9a4d0e542f3579b

SHA1
f53f2e7324f2760117628e1ea6e6787238275378

SHA256
fd15c64e4581116acac6ded0cc35cb1940560cf4b075ac3988d2c81dbe2f821d

SHA512
2a1fc23bcc819748bf81a97b8c81d3441d47247444c06f43e4dce7c01502418d1842230f1abe3d6caaa7c903404120303071e533cd0d21df7f6460acfd25e9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDA49.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDAC9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
42e2202ac32edb39ccf9979515018d85

SHA1
c1e07fbe2fa759e2775d4dcf7de23a66d2422a1a

SHA256
367b4028baf3df4a5f77169bd64c9ef8fd7968a4d6c852ae3f81a726f4b37222

SHA512
a97d9e968b1f63dedba74999aabe6fd150aae985c1143d29b183cc0d663a45252c57494c3457136c5e500050c6af6c819f9ba7070b7d62300ede2e9a7c792768

Download Submit
C:\Windows\SysWOW64\28463\MKMP.001

Filesize
432B

MD5
98740aa80cabd8b5f1a785f2f0ec9b62

SHA1
d1d44c19132f12a76d2322322438695faf1d3b38

SHA256
57422b45a1a9b6c53f035d1d22cd15cd17e47f54ba492307bb828cc1c727ad12

SHA512
e7c5df2e4a2e86d3e6c568bff5e26eee8baa72821b9f612a790f9a8396ecc748a52f1308e9eea3f5f82e05be2d5941ce3601ef189402c21b6e99d67958be02d8

Download Submit
C:\Windows\SysWOW64\28463\MKMP.006

Filesize
8KB

MD5
3da3041787b72a7909d9f6184ce6bc5e

SHA1
fc7f00b8a1341b5341e2ba6f94ba85364bc90843

SHA256
18e06896cc71e99b717cff8d68cba86fea3eba5087b93734f6418e53cadab5b3

SHA512
150fa3f8eeec3621ac61eab0da3f2692dd776887ec0c1791404df3dd8784982563496e1e990217a99c4fd53c5d5d68e0574737879b72d78ab737033f1b08560a

Download Submit
C:\Windows\SysWOW64\28463\MKMP.007

Filesize
5KB

MD5
50d0bcf6b5a6b11d9e274ccefba3f02e

SHA1
57acf2a1236b7534f2db661a9d95aeadcd41aa2a

SHA256
a5e5cf8b3133031f25db37fd13b029cdfc9d1588ca7f68041e52349f46cbbf5c

SHA512
c0288f92c75f4a6ea45434e3960a3c5d8ed3d890121a3fd6da2449e1313db523224e301451d85a15ea8ee9b5c2fb3bf294ee90869a4d5608bcf48fa94458e938

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@A93A.tmp

Filesize
4KB

MD5
cb07753c45624238b4403480372be5db

SHA1
10af5bfbed599165d996470278f011728e866df7

SHA256
63c3ed8cbe11314a2f2cd6ff50305bad98075be9e09d22e45b47af557a3388e7

SHA512
2c72cca45ef924104c6892dd96f2e27a5d43bacc9f3eb0eeee24c871cc1bd1642d77734822d9d934f93a77c884fa1c682cf1ceddffe157a613978d9edd184312

Download Submit
\Users\Admin\AppData\Local\Temp\Snuterz.exe

Filesize
396KB

MD5
a6517a923c489b3b8ad7b2edac49171e

SHA1
d43a4f027609e3e5325ebf67a13ed1b2896f32bb

SHA256
0425e1df375410c8abe84c8ca49c6964917aebaea747de23db14648449f4453f

SHA512
84965285baee40eac41260ee55ad828b431e13b94190816d0d94c67b1d53e6add431e40bcf7c8c1dad8e337b6a09a00b782bc8b8551a9bb82b1e3372e70659bd

Download Submit
\Windows\SysWOW64\28463\MKMP.exe

Filesize
647KB

MD5
a7b322839cedf8d56cb0a7dcdb50ab59

SHA1
d27855e65f5d9e87666f39d2af694a0d75330a75

SHA256
ba7362315c0608c9203c9d607fd85695fbc15f034ea40b3de7dd1abebd5859a3

SHA512
86a416ae639ca458e56093d5c04f3406ac0389cf9a1047f714424ba89ffd047ca58e6927bc941d285d4db9e8a95e91e0d578be3038a83945b6af90586ea9f649

Download Submit
memory/1692-13-0x00000000027C0000-0x000000000289F000-memory.dmp

Filesize
892KB

Download
memory/2152-54-0x0000000004510000-0x0000000004FCA000-memory.dmp

Filesize
10.7MB

Download
memory/2560-37-0x00000000030B0000-0x00000000030B2000-memory.dmp

Filesize
8KB

Download
memory/2560-19-0x00000000002B0000-0x000000000030A000-memory.dmp

Filesize
360KB

Download
memory/2560-18-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2560-35-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/2560-62-0x00000000002B0000-0x000000000030A000-memory.dmp

Filesize
360KB

Download
memory/2560-36-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2560-561-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2560-33-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2560-61-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2560-38-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2560-34-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2560-42-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2560-43-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2560-44-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2560-30-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2560-31-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2560-128-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2560-32-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/2560-127-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads