ardamax | e4f51c8c20e4ce5304ec5e51b51743af1471bb99bd27ffd7581ae99d47d8416a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe
Size

555KB
MD5

3580f87fe087994c3fb1f52353e8e9bb
SHA1

b2b962df988b3cdeae1cd269a67d9ace46600efe
SHA256

e4f51c8c20e4ce5304ec5e51b51743af1471bb99bd27ffd7581ae99d47d8416a
SHA512

eb21b3a95075474b1095e10299a563b0f9e18e55a83b8e996e7874cb84f831e6e2fd6c844b45ddadfc6ac20734652a0082c94deae86bd0924b5495ac0e35ecfd
SSDEEP

12288:MrPTRz+RidaaKbBEoUVSvVDyz1SQdLzt03nxaMQ:MDTgcaaKbBMAZI1SgUnxaX

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b91-160.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
900	is155016.exe
3496	setup_akl.exe
2076	HTV.exe

Loads dropped DLL 3 IoCs

pid	Process
3496	setup_akl.exe
2076	HTV.exe
3496	setup_akl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HTV Agent = "C:\\Program Files (x86)\\HTV\\HTV.exe"	HTV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\HTV	HTV.exe
File created	C:\Program Files (x86)\HTV\HTV.004	setup_akl.exe
File created	C:\Program Files (x86)\HTV\AKV.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\qs.html	setup_akl.exe
File created	C:\Program Files (x86)\HTV\tray.gif	setup_akl.exe
File created	C:\Program Files (x86)\HTV\menu.gif	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.chm	setup_akl.exe
File created	C:\Program Files (x86)\HTV\Uninstall.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.001	HTV.exe
File created	C:\Program Files (x86)\HTV\HTV.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.006	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.007	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.003	setup_akl.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3500	900	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is155016.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0034000000023b73-10.dat	nsis_installer_1
behavioral2/files/0x000b000000023b9f-171.dat	nsis_installer_1

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3388	msedge.exe
3388	msedge.exe
4608	identity_helper.exe
4608	identity_helper.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2076	HTV.exe
Token: SeIncBasePriorityPrivilege	2076	HTV.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2076	HTV.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2076	HTV.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2076	HTV.exe
2076	HTV.exe
2076	HTV.exe
2076	HTV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 900	2864	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	81
PID 2864 wrote to memory of 900	2864	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	81
PID 2864 wrote to memory of 900	2864	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	81
PID 2864 wrote to memory of 3496	2864	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	85
PID 2864 wrote to memory of 3496	2864	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	85
PID 2864 wrote to memory of 3496	2864	JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe	85
PID 3496 wrote to memory of 2076	3496	setup_akl.exe	95
PID 3496 wrote to memory of 2076	3496	setup_akl.exe	95
PID 3496 wrote to memory of 2076	3496	setup_akl.exe	95
PID 3496 wrote to memory of 3388	3496	setup_akl.exe	96
PID 3496 wrote to memory of 3388	3496	setup_akl.exe	96
PID 3388 wrote to memory of 1404	3388	msedge.exe	97
PID 3388 wrote to memory of 1404	3388	msedge.exe	97
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3452	3388	msedge.exe	98
PID 3388 wrote to memory of 3596	3388	msedge.exe	99
PID 3388 wrote to memory of 3596	3388	msedge.exe	99
PID 3388 wrote to memory of 2976	3388	msedge.exe	100
PID 3388 wrote to memory of 2976	3388	msedge.exe	100
PID 3388 wrote to memory of 2976	3388	msedge.exe	100
PID 3388 wrote to memory of 2976	3388	msedge.exe	100
PID 3388 wrote to memory of 2976	3388	msedge.exe	100
PID 3388 wrote to memory of 2976	3388	msedge.exe	100
PID 3388 wrote to memory of 2976	3388	msedge.exe	100
PID 3388 wrote to memory of 2976	3388	msedge.exe	100
PID 3388 wrote to memory of 2976	3388	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3580f87fe087994c3fb1f52353e8e9bb.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is155016.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is155016.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 272
    3⤵
    - Program crash
    PID:3500
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_akl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_akl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Program Files (x86)\HTV\HTV.exe
    "C:\Program Files (x86)\HTV\HTV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\HTV\qs.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85e1746f8,0x7ff85e174708,0x7ff85e174718
      4⤵
      PID:1404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,529043196609832876,5636069936273607842,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:3452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,529043196609832876,5636069936273607842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,529043196609832876,5636069936273607842,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
      4⤵
      PID:2976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,529043196609832876,5636069936273607842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
      4⤵
      PID:2664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,529043196609832876,5636069936273607842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:3108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,529043196609832876,5636069936273607842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
      4⤵
      PID:3172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,529043196609832876,5636069936273607842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,529043196609832876,5636069936273607842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
      4⤵
      PID:1084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,529043196609832876,5636069936273607842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
      4⤵
      PID:264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,529043196609832876,5636069936273607842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1984 /prefetch:1
      4⤵
      PID:2840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,529043196609832876,5636069936273607842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
      4⤵
      PID:3564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,529043196609832876,5636069936273607842,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 900 -ip 900
1⤵
PID:1208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HTV\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Program Files (x86)\HTV\HTV.003

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
C:\Program Files (x86)\HTV\HTV.004

Filesize
14KB

MD5
bda4860df26a5882b42b6b861376199d

SHA1
8437ec07c9bc3001756ae0cb214b99e1e8a53fdb

SHA256
9ed69f6ee86a7fca1f3ef7801d08b38d9e82ab649e6169e894e48ce85b43dc30

SHA512
484f45aaacdb4be03752df49c337c7596d539ee0442412083fcfeea78e1c485caf1fbb25cf8a749611358e3a895232f8d0c61c91545d98a3f2a3e1aa504859c6

Download Submit
C:\Program Files (x86)\HTV\HTV.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Program Files (x86)\HTV\HTV.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Program Files (x86)\HTV\HTV.chm

Filesize
33KB

MD5
0195038e7af8da97742eb0188204c3bf

SHA1
b8c089c701ab283fa5aa921270b317c07cbee2c7

SHA256
fc14326e0719e0a59ba8fbb6763f2cc41b47d59ef177c90dc3535cd3a38720b9

SHA512
938c3a59895d861eb67a56f365fd387b122d42ff7bb52e5014faa738150d1eed2cd4a52b231ff70f1184fd7e3f0eb991096813b9933e574a7b4383f768384b04

Download Submit
C:\Program Files (x86)\HTV\HTV.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
C:\Program Files (x86)\HTV\Uninstall.exe

Filesize
43KB

MD5
916ced19a86ac3006f26ea60719dd648

SHA1
68278a4c3d5202fff273844d8e4b488fc1daddcd

SHA256
3dc70f9fc553517666be9008ebcfab2b044ff711036d49e40144e0dd97910734

SHA512
9c08cbca52a17f810f3892d66a72ff37c3af5a60ebe34f56e3937c933e265ae0e4207410f7778434cb203a76e36dc62df09a08f3b3f4338d35b44d5c5bc8bb28

Download Submit
C:\Program Files (x86)\HTV\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\HTV\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\HTV\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk

Filesize
1019B

MD5
d5833653b181b39594b705be526e29e0

SHA1
8170366915b4171c380d9404342621980c4aa1df

SHA256
33abfb9abcecbff397f960bfca04ce8c2ca2d9004caa318cb3fe3b234f518596

SHA512
f055e2ceae07bf1cd8249e7280e45aaab51e76a56ad3c690a4b599f77bbb0c7fce049f6c58fdf9ca1e1abd4d16b1998c80240144d66f26aacd7c52501c22e98d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk

Filesize
975B

MD5
551a2bdc1b606b22eb1168c7d7d7a606

SHA1
c505072262f8022ddb0f83f44a46a3ff5843fec8

SHA256
83b6c3248b1612ff9fb4bccfb9333d25233d71746f3f6b2d792adfa248bf6d92

SHA512
60ba0f1a6ca4a8eeaa7b9436a802e5a865b73ba4c3b691752a26ef648436b71ef8087c0c4dd7c64d938c8f37c6c0442482ab5fd9e485385a7f736ab6ad48da93

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk

Filesize
1KB

MD5
ddc2a4c8d3fabd1a871308e5f3e5733c

SHA1
6b6124c25e6140c9074a48c5cbc171fd495cfa20

SHA256
8b3963b8631771cbc2dbc8353a903acf1d0d5e53846464acf71f1acdc5e67593

SHA512
8d4aee5e9a10f0d7101464b3d432ddbb0d0597d8e4dcc4f3ffdf9e668cb1ac0b307fff581978193d49577ab56439e4973ff69c79e58617a8d5547bd384401557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c06dfc303c2ed2b565c6ce399de5cc8f

SHA1
e75dfae2b5aad73f6f56b8f56fb2efd048180ec6

SHA256
976d93e1df116c7669db70647b4fa0a921429afb33afd095a3ec50e4e4362b70

SHA512
cf46de1b79b549b1e25702740d082d023ce3eb82feec4bf5d1c044810a6d229f4fdde46406c769a16f9022ef662fc1e1f020e848f493d538c47f794916625588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8c721c965127ddddc4d700923d51245

SHA1
ffbf1e91863bc9afc15ae5fc5f122ae0c7db2b80

SHA256
3e2a97bfa203d9f980d73067da129d23b0be40da1145edced823ff7d25abfd2f

SHA512
65ea239763bccf12fa8d1b4069b24f4f53abc1164a65ed8bd220315a4dc994d30b1b2c132ecfdd48b260055e93b3f6d15d5319c375c771e78c0a6c2f15f9afd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f075a1412c78785f6789e7802f82768a

SHA1
fff5ea6f44c1f8bcd4738251c1a5b66b65740358

SHA256
fc43ea383e9be13cfb9b9451e211fd6e8d45592a04ae8150d151e06b6d1ab546

SHA512
5a69c174b95b540e74a6a493dc287b9a988ba1b9197f74bb04ef7199f1471543e376e8e132f99f493e1816515b54caa45b008ee37f1b98543689e51ff23ae1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is155016.exe

Filesize
92KB

MD5
cd5ca8c901b504506c16915ead6131f0

SHA1
a49b2c83c00752c297579f32f4089555986a3e94

SHA256
7095d5866f8378beffedf836e451cd0416d8342e39138d91bc3391d49f472e45

SHA512
5ced517f81db55f0b3af70489efdb7a31898642b06a115c77651869383056253c4b179da6988ce3317a3f62584b99e7c84cf379a561667d1150b8feaa6a9f3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_akl.exe

Filesize
418KB

MD5
f6699e0d27e915996f33ddf617c9bf6c

SHA1
74d69a9449331b90e46ae01577b4714b1a35391a

SHA256
e2dc1886ca386f8717079b28cd52c1843de737ee24f2e521972730b9a6503c1f

SHA512
104451a409acf12db353259e86b00e40b079e657f2c456a9f339977cd0a972dc23af16d2f85da12b6728294560b3cf13afe380dafe1a87ba62c81ff72b127c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA143.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA143.tmp\ioSpecial.ini

Filesize
793B

MD5
772fabf283bb02d633789f102b6ccf58

SHA1
a191cb993008c956f08360f5f54014f7260613cb

SHA256
7e6a0369b4587cd8011532e7aa8ca35aab42d89dc2141d7ee32aea3e9c0fbd75

SHA512
c86d0671d91adfd550764abfbd129af80bb2dfba2d57b58e2c4b7d51b3b0356b9f9c65c5c9e9b8ad8c3b1474b2f2f818c9aeae157e5cdadc04775cc30bdc9621

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA143.tmp\ioSpecial.ini

Filesize
719B

MD5
5d97f4fd2771e07fb84c1a3ea287b0a2

SHA1
39fec9969fec0e7b8e8f38225f2f45c8ae6d3ca3

SHA256
577051b8053d915e8bfcb6edabf00aac6ea224b4f346b51da3aa9e81d524b93e

SHA512
295448c0a9e37131c063ee5ab87565ea9963f5216e2d2f326767f46be226db3f5bdb1c97b77f808e1837c159d10236a575ba52d259e3af11b1d14e77afbf598a

Download Submit
memory/900-7-0x0000000000400000-0x0000000000418912-memory.dmp

Filesize
98KB

Download
memory/900-8-0x00000000020B0000-0x000000000218D000-memory.dmp

Filesize
884KB

Download
memory/2076-173-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2076-232-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download