ardamax | e4f51c8c20e4ce5304ec5e51b51743af1471bb99bd27ffd7581ae99d47d8416a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/01/2025, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe
Size

555KB
MD5

3580f87fe087994c3fb1f52353e8e9bb
SHA1

b2b962df988b3cdeae1cd269a67d9ace46600efe
SHA256

e4f51c8c20e4ce5304ec5e51b51743af1471bb99bd27ffd7581ae99d47d8416a
SHA512

eb21b3a95075474b1095e10299a563b0f9e18e55a83b8e996e7874cb84f831e6e2fd6c844b45ddadfc6ac20734652a0082c94deae86bd0924b5495ac0e35ecfd
SSDEEP

12288:MrPTRz+RidaaKbBEoUVSvVDyz1SQdLzt03nxaMQ:MDTgcaaKbBMAZI1SgUnxaX

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016d11-40.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2068	is155016.exe
2644	setup_akl.exe
2940	HTV.exe

Loads dropped DLL 24 IoCs

pid	Process
2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe
2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe
2068	is155016.exe
2068	is155016.exe
2068	is155016.exe
2088	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe
2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe
2644	setup_akl.exe
2644	setup_akl.exe
2644	setup_akl.exe
2644	setup_akl.exe
2644	setup_akl.exe
2644	setup_akl.exe
2644	setup_akl.exe
2644	setup_akl.exe
2940	HTV.exe
2940	HTV.exe
2940	HTV.exe
2940	HTV.exe
2396	IEXPLORE.EXE
2940	HTV.exe
2940	HTV.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HTV Agent = "C:\\Program Files (x86)\\HTV\\HTV.exe"	HTV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HTV\HTV.007	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.chm	setup_akl.exe
File created	C:\Program Files (x86)\HTV\Uninstall.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.001	HTV.exe
File opened for modification	C:\Program Files (x86)\HTV	HTV.exe
File created	C:\Program Files (x86)\HTV\HTV.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.006	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.003	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.004	setup_akl.exe
File created	C:\Program Files (x86)\HTV\AKV.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\qs.html	setup_akl.exe
File created	C:\Program Files (x86)\HTV\tray.gif	setup_akl.exe
File created	C:\Program Files (x86)\HTV\menu.gif	setup_akl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2088	2068	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is155016.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000014b28-20.dat	nsis_installer_1
behavioral1/files/0x00060000000175c6-57.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001afa622a070e944fb64871eace57f4960000000002000000000010660000000100002000000092c4818a8780b91b8a15cc9d91793e326ce0d516d30b848f136bbe530dd943ee000000000e80000000020000200000005cffb115a23025e793d9448887094f479e0369d85c493f5c3784ae60b97c4c792000000080e1c75c92bb144889f0d2fbd07c2413f9e062186e710ce7d9160bcd7e4fc0924000000047dd0d58bb27aea04c68d0c9fc44aa6f5138be7fa26130ba5d6fde8666798a5768714e43f9002a356563595bc8adb3346a81fb0ae0b7862075e2156d659eb8ac	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8DC8AC31-DBE1-11EF-93F4-C28ADB222BBA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001afa622a070e944fb64871eace57f49600000000020000000000106600000001000020000000acc1722fea11a7d527e71817d62991550dc48c7c1f7cc377ac1d45a020f7a6a3000000000e8000000002000020000000d41bfadedd3292cd061b465d610a8ab5bc89c1bf2f68dba8f8dafd2f3d5755b290000000a622b346e5eb7d10802ca5584f9223923ac14f0ffb216301dce011363b8031fe1abe243de57dcda48c475004a3da12b2f2f0c157bc4e2e2160fc0a3d9131c1e33e75ef9708768d16d24354806e579de494a4debce65f98daf700213815034e0ae837df902aeae59518b661d4985fa1472ef98aad5003cc99705759b4286f4b8fd25daf73bb94658285e3fb6a791cd5b9400000002581813e563834043f7a90ac965e22b59aa440e9fcb34c90406f18d040909b2330f4a71b7d20f97efb6d19859e11c914ba7a3e05fc8e31ad7026025b2d339730	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0a63662ee6fdb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444056594"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2940	HTV.exe
Token: SeIncBasePriorityPrivilege	2940	HTV.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2940	HTV.exe
2264	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2940	HTV.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2264	iexplore.exe
2264	iexplore.exe
2940	HTV.exe
2940	HTV.exe
2940	HTV.exe
2940	HTV.exe
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2068	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	28
PID 2228 wrote to memory of 2068	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	28
PID 2228 wrote to memory of 2068	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	28
PID 2228 wrote to memory of 2068	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	28
PID 2228 wrote to memory of 2068	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	28
PID 2228 wrote to memory of 2068	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	28
PID 2228 wrote to memory of 2068	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	28
PID 2068 wrote to memory of 2088	2068	is155016.exe	29
PID 2068 wrote to memory of 2088	2068	is155016.exe	29
PID 2068 wrote to memory of 2088	2068	is155016.exe	29
PID 2068 wrote to memory of 2088	2068	is155016.exe	29
PID 2068 wrote to memory of 2088	2068	is155016.exe	29
PID 2068 wrote to memory of 2088	2068	is155016.exe	29
PID 2068 wrote to memory of 2088	2068	is155016.exe	29
PID 2228 wrote to memory of 2644	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	30
PID 2228 wrote to memory of 2644	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	30
PID 2228 wrote to memory of 2644	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	30
PID 2228 wrote to memory of 2644	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	30
PID 2228 wrote to memory of 2644	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	30
PID 2228 wrote to memory of 2644	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	30
PID 2228 wrote to memory of 2644	2228	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	30
PID 2644 wrote to memory of 2940	2644	setup_akl.exe	33
PID 2644 wrote to memory of 2940	2644	setup_akl.exe	33
PID 2644 wrote to memory of 2940	2644	setup_akl.exe	33
PID 2644 wrote to memory of 2940	2644	setup_akl.exe	33
PID 2644 wrote to memory of 2940	2644	setup_akl.exe	33
PID 2644 wrote to memory of 2940	2644	setup_akl.exe	33
PID 2644 wrote to memory of 2940	2644	setup_akl.exe	33
PID 2644 wrote to memory of 2264	2644	setup_akl.exe	34
PID 2644 wrote to memory of 2264	2644	setup_akl.exe	34
PID 2644 wrote to memory of 2264	2644	setup_akl.exe	34
PID 2644 wrote to memory of 2264	2644	setup_akl.exe	34
PID 2264 wrote to memory of 2396	2264	iexplore.exe	35
PID 2264 wrote to memory of 2396	2264	iexplore.exe	35
PID 2264 wrote to memory of 2396	2264	iexplore.exe	35
PID 2264 wrote to memory of 2396	2264	iexplore.exe	35
PID 2264 wrote to memory of 2396	2264	iexplore.exe	35
PID 2264 wrote to memory of 2396	2264	iexplore.exe	35
PID 2264 wrote to memory of 2396	2264	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is155016.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is155016.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 252
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2088
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_akl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_akl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Program Files (x86)\HTV\HTV.exe
    "C:\Program Files (x86)\HTV\HTV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2940
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files (x86)\HTV\qs.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HTV\HTV.003

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
C:\Program Files (x86)\HTV\HTV.004

Filesize
14KB

MD5
bda4860df26a5882b42b6b861376199d

SHA1
8437ec07c9bc3001756ae0cb214b99e1e8a53fdb

SHA256
9ed69f6ee86a7fca1f3ef7801d08b38d9e82ab649e6169e894e48ce85b43dc30

SHA512
484f45aaacdb4be03752df49c337c7596d539ee0442412083fcfeea78e1c485caf1fbb25cf8a749611358e3a895232f8d0c61c91545d98a3f2a3e1aa504859c6

Download Submit
C:\Program Files (x86)\HTV\HTV.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Program Files (x86)\HTV\HTV.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Program Files (x86)\HTV\HTV.chm

Filesize
33KB

MD5
0195038e7af8da97742eb0188204c3bf

SHA1
b8c089c701ab283fa5aa921270b317c07cbee2c7

SHA256
fc14326e0719e0a59ba8fbb6763f2cc41b47d59ef177c90dc3535cd3a38720b9

SHA512
938c3a59895d861eb67a56f365fd387b122d42ff7bb52e5014faa738150d1eed2cd4a52b231ff70f1184fd7e3f0eb991096813b9933e574a7b4383f768384b04

Download Submit
C:\Program Files (x86)\HTV\Uninstall.exe

Filesize
43KB

MD5
916ced19a86ac3006f26ea60719dd648

SHA1
68278a4c3d5202fff273844d8e4b488fc1daddcd

SHA256
3dc70f9fc553517666be9008ebcfab2b044ff711036d49e40144e0dd97910734

SHA512
9c08cbca52a17f810f3892d66a72ff37c3af5a60ebe34f56e3937c933e265ae0e4207410f7778434cb203a76e36dc62df09a08f3b3f4338d35b44d5c5bc8bb28

Download Submit
C:\Program Files (x86)\HTV\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\HTV\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\HTV\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk

Filesize
906B

MD5
106e10eee05ef89954fe536ef5851432

SHA1
7b154787d4387d2075f1becc63ca23edcd99c773

SHA256
d5f68671efbf7f7df2d226990eb5296becf20a6113134cb839884634543b8b8c

SHA512
804ffe6740c7951d0495ebee71bb3fa778b86ab4b18034fe212a5ff2ea3161655d1fffe92bcd6c6f994e531609b1e2f0af99c1853aa37c2ef695851d957a1f9d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk

Filesize
964B

MD5
01550d3d848e925cccf1f9f675286382

SHA1
bbf8aaac4c0356a45a14debbae38198294df1d67

SHA256
b2035fbbdd8e4abef93f5b09085ffba3ad1e0a2114b42c62f4232839d2f9a0cd

SHA512
443243dbfce7187c77da699656b5db41c2d395877fd9cd333f1b9fc42f5c3964438d277eaf15ea008b267bf2e627ba28537309ab12f8ba7b93ffde62221cff34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0a0ad0ad0bd7d689f46413cdffb6704

SHA1
147f6c2e98a6d5695039d5a49df0a7d4a33be49c

SHA256
95a5e58d27881b204fc32fb1e8af51e5de33059be5e40db2dfeb0bb92364b4aa

SHA512
534c43d273be3a208e71d4ce817ba65f08f4c8851a831c3324be81fa43891cd6a43b2f0bd176c4988c824c6eee2b6fef1e8b7e3b3df4f26b381868d9cf5f1920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c835667255312959fc7cfa50483aa33e

SHA1
3e875bb85a81130f7a0b6a91b01016306f69897e

SHA256
5b50372de76e1e79f55c466eb49a50a54cc040d1b569bb6752cbfd8262432e6b

SHA512
40e55328d35cb493b31ef8386d2d95a530ea6a830573da798bf4859c9a3158cdb58a534fffd96961319bc3b47f7c76afc90d560b516e194101da734aee0f1444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e39244aa76ae5c0f521b43e969f2a81

SHA1
a4cbcd847e3edc989dd77ff54e3fa339e906bdf6

SHA256
ac51654cd4a85b0a7bbc1c08a2b409016dfbc50437b8d598b33ae8a9f8cb2a99

SHA512
ceb0a0dc7cf6621f5069b6587a117e170cd09679966115174ba2b01481b0cfbf918b2d94d48a2f7f3b9ee3f42d7f7081d3021865ac57eb5baa132fbb8475d53d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a156f961b0e35f2ad870fefe853d1e2

SHA1
cadb1fd822ddd8ee04fa9fe8fd6de167f6e2620f

SHA256
1ab6036767b04eab1e96faf55760a46f45e598b41361f7fc897baa57c5115838

SHA512
4ed8e3b63e28232bb59353f1e2965c1764055c39e9952a1ab9568be06eb9e6dc571e1e3d77ab879e68ebf0a7ee9f7e5dc90280a5ba861a31d75b808ce5fafe23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a33dd4ead119fcbfa030db05ed56384

SHA1
1ed99625f26abc1a23c86a0039937b192a807f09

SHA256
2281aabb4b3de9d92f1d3bfc1476516e6c32cc88018f1db7311ba83c04704402

SHA512
0a03087ce906352e3d9458994482a39c39487e33893f155b8c84de31c997fc89fba94b525332d0069a9bb79b2d3ecf833a8e765c6470ca6ea54cef307e7b4589

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b32c7bc444c0c7a06ddc1bba535e0b66

SHA1
75f6888aa4ac723fd36ee1d2ca0baf93987d2c12

SHA256
84abd4b065e11bdd7c8865aede050026920d7da84d71977c98887af2f0c25c4d

SHA512
14243651e13e946eed4237a3e7c70db1e4fe4f1d03c57aec990ff1cc21275efd412284f5472d3c3f9f618158b5a1a29f5b9ce73377363f16553b6018e2c48836

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1805dc130714f33e3d6fc2b98d9418cc

SHA1
911d8a07ab3546682a320074c6caa25aa16c60c5

SHA256
b74be478f13a066e229f29cb8a1465bf8255d5c21b5d6b558d31e6330b59928e

SHA512
9d6056903cf3f40b2de4de6c59aead9c6c2cc2906529863941710c6b4aa71ea5b1448e3f1bc6515e11cf6c2deedff388161d7e1c2bb92436bbb446629e950c61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ef004a108ce16deebe1719b8ef32777

SHA1
3672aed8aeeac1469d4d203d5b25881e572d7105

SHA256
b03158148d505bdf5e32e6f5c6cb098faf3f01876a301604320db4ece2b3fd0e

SHA512
a05745c20c8b4838894b4feb8d1a10de19d3888b54a10f2380b04686ad45fbf26b3dbd911c36475ff46e916dfdad03259a4c77d90eeebe443488129c53cac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
212d15cc27b3dbdd1f7a4d2cf0f439a8

SHA1
dc6433d29e3b090008d76664aefda71a6e5ff397

SHA256
e9435b6a6ff82bd00f61d4aa16327fce21cde06cd4ceb389eea5160c40a33f6d

SHA512
c23d9ce78ee670d7b506ce19cfc5569a8fa7ce5f807240c7d212c70a3d326dde8b18931a535841f403daa5756415aa74ef536f0e1def10fc1d29095eaac82928

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ecd142068d4a59e66d0ac912e2a20e2

SHA1
f0b5bfa1fc46f7070ce49b3dab57d8cbe3efb120

SHA256
bac66f171313a99edac746eaa43c88baf384b189da2bb79d64e5521f1bc54874

SHA512
937a788b95dcfa9eed70a0edc349fb4b67210799abc2fb91c99cb4d9c5ad9f4e00b043590df851c836f2c70a4887d968bd724b892d047e361cd123d197b6dbce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b89706df9581bd1be4d09d506d1f6cce

SHA1
b89cb1e3855f937fb49bdbe6568a988c7051ab5a

SHA256
b0d031618b38e89d6b16054d376b6c0be2da4be440ab196281060524e319be9c

SHA512
95fa40126a20e121d2cf57720ee14b0d04db65261faa45ba9e88ee663b76277141a986f1de99a3093b0b4adb6d2f432d36ed34b71fd91383f76263533cb063da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21c57865779f6ffbc1bec15e834554b1

SHA1
6e7dedb1cdeeb2aa7d29e02d657d0eb16427f7c6

SHA256
7062466a54ea58c8c88c738ce075a9f3f3f75133f1e8e0bdb9bde08662d9d3ed

SHA512
4c8f840b342f588b986632d58a64e7543e7f020574fe18872c829023c913283bad6fbfc6da84c4d8964d4c38fd5e3754e5cb0aa4ad335034d894ff06a9d213a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b58c70b0ab9ed90e23798f9caa2bd4ff

SHA1
761e0910d946bbdc092c568f6505278b0a3422be

SHA256
169d3328663fb651649b1e70305859fbc8e2e7af7c0211dd99552863515d369d

SHA512
60296ffc50e3e492a5adbc196030ad6387e78542d4a4eda9799349349de3b8de87652cebf4064f147218ca76947e0c409c58e790d7b0ec36d4e509e13e4a787f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
208027341dc4a89d68dd8f074e5871d4

SHA1
b429f8a7d15dcad7b46f50d92b68bab4f661534b

SHA256
59b5fa718e392a7a646c9ac35f51c988610a75abe688dd1b8e1b1b6306c0dc71

SHA512
8e49c52742fbb07e27f0a271f7ffbe039adf169710bcea0ee48ca9ff6f55d8649e36c325c2d8e54a0cb2abebab855607bf5dcf14b43c0a92cfe0acd93b9667f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4107729eb53a593c75d33262dc05f236

SHA1
881f60ad3e35698e3355171339a5a4bdc6128ec6

SHA256
8967587b981e05220a967ecf6387db1f14345337a66fd9758684b9f0eb849c21

SHA512
ca2bffbd14de9b39ce32b685b490db9ff9b1997917f335a54e330bb02a941623f328e86b033970dd873937cc6ffbfc06ecb4d71f4d4ac91e15651fdc86e88d81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9788bbcbda360a1f270b4a325ca048f3

SHA1
393697b2f674719258c0fe038770ec74dc82c52c

SHA256
97e60168a1c5bd6d59c4fe2f3b5bd9a4125f2b4db91cec0fe362734529b48f91

SHA512
80a88ee91da5643c622c9eedd03d135fd922f6f9e604136f634247f1e2691d35ad6324dfdad2655f68ad278f33012a09121539998ca5e5c4c2776e0b228ac708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbf493867d1dfeaa21c3fd204d13ff1c

SHA1
188452d0111c56761e97e0ed6b18653c8239f2ff

SHA256
92483981a0198bd6e74f3a41fdb5622d58575b06fa565dab03f15a39fbab47e8

SHA512
c2e31128506926163ff571a4fc9ec610c7c9a1c3b4d941aec675eacdd43e352e4a8e8589f30810325648e82a095f4b9383d9a52a6b2e93c238d614fb88ffdbbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98d248532f7ab4073cf47dbc388ff41c

SHA1
d59f0688bea08e575a90d5208e9a230bb1e4d0fc

SHA256
292ebb8194c800b45fddfaf48ef8bba7df5cd5e263aa0ba32998af5c5b410e6b

SHA512
7cc2dcfb755af51946486b4a174abd3f21609b16cf296fe8dfbdf3c3d30e7792c3a68df8a4c687654693139c4ee0c99872aba5db2e5bdc81c95b9b2b96f328d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9710a2b070710be331b18412f29f77c

SHA1
10aa88c9d076348b24a2269d6f5e553273366990

SHA256
0c9346cac86363627a9df07e2a3ed58948b3a9d1d61d61f10930577d7846ed69

SHA512
02bedfe68666b42cb9eddbdc47f5297fbad74277f7b5dbd6ee02be9d2b276f0d6098a86178df499dd295967b086c853ac7865fc8e1a0b1cbf800fb96c71f0b72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
988234007ee7d9897168aee8da6ab72f

SHA1
abce252b4f864bab35b8fa45015f3eeae835aaa2

SHA256
d30e320981552cab6822898ae2b1a5d2e4fec2079e8511739bf632db4c370dfe

SHA512
671b9cd7076e2056108ea78e593a14d9f486f2b4dd286492bd650698acc550be02eaf46222e37d1e670961a679d0e634857458858df700d43dc6dfde7ed5361b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18d5678418bc364078180cd4193c5655

SHA1
b6c72d3ffa713cf5626b7031c5f4d2a3f87b6d31

SHA256
d3a8680b0f9949a77521c1c010391eab068f05f917aefb0efcac3b3f8082cf42

SHA512
0a1c0b8993464d88a796067df38608a698fbf39a9d0d2d026aa55c35943c9882ec180e1fad691270252556f3e13728ee2c76b353aa475b86afde90c560a760c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE0EE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE1AE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy69DC.tmp\ioSpecial.ini

Filesize
771B

MD5
aa64b8c5bcb531c56dc157a5c2ad9a36

SHA1
fd1bac5227d9fa8c48c378e490394432f5964eaa

SHA256
adae01c3490c37520598ebdb85babf32db68f2134e2777bfecd58f0e22d39715

SHA512
d0acdc7f8a745b5c4001d5cfb5d388b323563d547b9c1ad6678d2c71d2f39b92a1f3ea44bb7ff4e696bfb285db4964313a79224024749a8679dc770620f53645

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy69DC.tmp\ioSpecial.ini

Filesize
793B

MD5
5171dc28fcce2086acee471f5b2db528

SHA1
ce425cb9a01dbdb68e4fe4d9df041acb8f4c06f8

SHA256
67707f2f487458f4c239339699f21ea48921969a17019de349898566f1247bb8

SHA512
172dbcd9aab0da0ee96ff59f99225927d7d89cf9743eee07f2704564171041d34e439bebbe391a9015966bce90b2fd8f05594fa75218c6c4b566d3fd7de41bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy69DC.tmp\ioSpecial.ini

Filesize
719B

MD5
73abe1f2b5e6689dd24b7b55342fb28f

SHA1
c98da2b98b8e59c2e312e7492fa4dcfc2e8f0a62

SHA256
6742b803382162feb7dca94049272ff0b21c20ceb476f4e1d079dee6108eff06

SHA512
ba54029e49b51bcc9bf3f03e9ffca64ee133f109f1545a80cc8d948e7e705d9eb25df51af89e9d52807dbc8c0781ac5e8953f9c9cfb6127b1d0c3fdf9a6aa691

Download Submit
\Program Files (x86)\HTV\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
\Program Files (x86)\HTV\HTV.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\is155016.exe

Filesize
92KB

MD5
cd5ca8c901b504506c16915ead6131f0

SHA1
a49b2c83c00752c297579f32f4089555986a3e94

SHA256
7095d5866f8378beffedf836e451cd0416d8342e39138d91bc3391d49f472e45

SHA512
5ced517f81db55f0b3af70489efdb7a31898642b06a115c77651869383056253c4b179da6988ce3317a3f62584b99e7c84cf379a561667d1150b8feaa6a9f3e1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_akl.exe

Filesize
418KB

MD5
f6699e0d27e915996f33ddf617c9bf6c

SHA1
74d69a9449331b90e46ae01577b4714b1a35391a

SHA256
e2dc1886ca386f8717079b28cd52c1843de737ee24f2e521972730b9a6503c1f

SHA512
104451a409acf12db353259e86b00e40b079e657f2c456a9f339977cd0a972dc23af16d2f85da12b6728294560b3cf13afe380dafe1a87ba62c81ff72b127c54

Download Submit
\Users\Admin\AppData\Local\Temp\nsy69DC.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
memory/2068-15-0x0000000000490000-0x000000000056D000-memory.dmp

Filesize
884KB

Download
memory/2068-19-0x0000000000490000-0x000000000056D000-memory.dmp

Filesize
884KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads