ardamax | e4f51c8c20e4ce5304ec5e51b51743af1471bb99bd27ffd7581ae99d47d8416a

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_akl.exe
Size

418KB
MD5

f6699e0d27e915996f33ddf617c9bf6c
SHA1

74d69a9449331b90e46ae01577b4714b1a35391a
SHA256

e2dc1886ca386f8717079b28cd52c1843de737ee24f2e521972730b9a6503c1f
SHA512

104451a409acf12db353259e86b00e40b079e657f2c456a9f339977cd0a972dc23af16d2f85da12b6728294560b3cf13afe380dafe1a87ba62c81ff72b127c54
SSDEEP

12288:XDKLYe6zUbRrda8Kb9zoNVSbVhyzCe1PXcZgE:TKLuGJa8Kb9q+XI51PMZgE

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral6/files/0x0007000000023c72-148.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
3112	HTV.exe

Loads dropped DLL 4 IoCs

pid	Process
4596	setup_akl.exe
3112	HTV.exe
4596	setup_akl.exe
4596	setup_akl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HTV Agent = "C:\\Program Files (x86)\\HTV\\HTV.exe"	HTV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HTV\HTV.006	setup_akl.exe
File created	C:\Program Files (x86)\HTV\AKV.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\tray.gif	setup_akl.exe
File created	C:\Program Files (x86)\HTV\menu.gif	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.chm	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.001	HTV.exe
File opened for modification	C:\Program Files (x86)\HTV	HTV.exe
File created	C:\Program Files (x86)\HTV\HTV.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.007	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.003	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.004	setup_akl.exe
File created	C:\Program Files (x86)\HTV\qs.html	setup_akl.exe
File created	C:\Program Files (x86)\HTV\Uninstall.exe	setup_akl.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTV.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral6/files/0x0007000000023c80-159.dat	nsis_installer_1

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
3244	msedge.exe
3244	msedge.exe
3460	identity_helper.exe
3460	identity_helper.exe
1256	msedge.exe
1256	msedge.exe
1256	msedge.exe
1256	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3112	HTV.exe
Token: SeIncBasePriorityPrivilege	3112	HTV.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3112	HTV.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3112	HTV.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3112	HTV.exe
3112	HTV.exe
3112	HTV.exe
3112	HTV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3112	4596	setup_akl.exe	97
PID 4596 wrote to memory of 3112	4596	setup_akl.exe	97
PID 4596 wrote to memory of 3112	4596	setup_akl.exe	97
PID 4596 wrote to memory of 3244	4596	setup_akl.exe	98
PID 4596 wrote to memory of 3244	4596	setup_akl.exe	98
PID 3244 wrote to memory of 488	3244	msedge.exe	99
PID 3244 wrote to memory of 488	3244	msedge.exe	99
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 4260	3244	msedge.exe	100
PID 3244 wrote to memory of 228	3244	msedge.exe	101
PID 3244 wrote to memory of 228	3244	msedge.exe	101
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102
PID 3244 wrote to memory of 2468	3244	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
"C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Program Files (x86)\HTV\HTV.exe
  "C:\Program Files (x86)\HTV\HTV.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\HTV\qs.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6e6146f8,0x7ffc6e614708,0x7ffc6e614718
    3⤵
    PID:488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,10114016995155023123,17259079785355080597,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
    3⤵
    PID:4260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,10114016995155023123,17259079785355080597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,10114016995155023123,17259079785355080597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
    3⤵
    PID:2468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10114016995155023123,17259079785355080597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    PID:3172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10114016995155023123,17259079785355080597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:740
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10114016995155023123,17259079785355080597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
    3⤵
    PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10114016995155023123,17259079785355080597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10114016995155023123,17259079785355080597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
    3⤵
    PID:1892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10114016995155023123,17259079785355080597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
    3⤵
    PID:3068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10114016995155023123,17259079785355080597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
    3⤵
    PID:1296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10114016995155023123,17259079785355080597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
    3⤵
    PID:1308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,10114016995155023123,17259079785355080597,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4812 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HTV\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Program Files (x86)\HTV\HTV.003

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
C:\Program Files (x86)\HTV\HTV.004

Filesize
14KB

MD5
bda4860df26a5882b42b6b861376199d

SHA1
8437ec07c9bc3001756ae0cb214b99e1e8a53fdb

SHA256
9ed69f6ee86a7fca1f3ef7801d08b38d9e82ab649e6169e894e48ce85b43dc30

SHA512
484f45aaacdb4be03752df49c337c7596d539ee0442412083fcfeea78e1c485caf1fbb25cf8a749611358e3a895232f8d0c61c91545d98a3f2a3e1aa504859c6

Download Submit
C:\Program Files (x86)\HTV\HTV.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Program Files (x86)\HTV\HTV.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Program Files (x86)\HTV\HTV.chm

Filesize
33KB

MD5
0195038e7af8da97742eb0188204c3bf

SHA1
b8c089c701ab283fa5aa921270b317c07cbee2c7

SHA256
fc14326e0719e0a59ba8fbb6763f2cc41b47d59ef177c90dc3535cd3a38720b9

SHA512
938c3a59895d861eb67a56f365fd387b122d42ff7bb52e5014faa738150d1eed2cd4a52b231ff70f1184fd7e3f0eb991096813b9933e574a7b4383f768384b04

Download Submit
C:\Program Files (x86)\HTV\HTV.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
C:\Program Files (x86)\HTV\Uninstall.exe

Filesize
43KB

MD5
916ced19a86ac3006f26ea60719dd648

SHA1
68278a4c3d5202fff273844d8e4b488fc1daddcd

SHA256
3dc70f9fc553517666be9008ebcfab2b044ff711036d49e40144e0dd97910734

SHA512
9c08cbca52a17f810f3892d66a72ff37c3af5a60ebe34f56e3937c933e265ae0e4207410f7778434cb203a76e36dc62df09a08f3b3f4338d35b44d5c5bc8bb28

Download Submit
C:\Program Files (x86)\HTV\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\HTV\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\HTV\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk

Filesize
1019B

MD5
5c8fde87fbf0a612fc218f777f8a9e99

SHA1
091b06792a6c17f95788a60723322d5d9ffda430

SHA256
44b95a63ed854ed8ecd5462230559d8e185eafa5e04e09325804e4294c352660

SHA512
936128803d01ae4c113d06365bce41c487b43472376e4cd2bf96cd51d05e56867508bced7e3a138cd3e39e71b849fccbe3d6cd19ef2ba0aa18a478454ce09d2c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk

Filesize
975B

MD5
851c053df53510abdcc4499546c891ad

SHA1
cd324707de04a2af37194585f248256736702d58

SHA256
d89759a1367b35a883debcbaace11c4ff7820c48b74467e5f474b1adf0f2dd5d

SHA512
afe5a1aa5fd15d832a533efeb62154e837b23e1374a8da8fc3a9dbe7b9f3395129217c34ed63c505d91745e5a7bc3bd74191cc1fc1dbc5ccd0886acafdbc866f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk

Filesize
1KB

MD5
3b4b08e9e9376a2b82cfaf05843e61ab

SHA1
824edcad4e9e0628fac41d31e2c104cab0267724

SHA256
a58848853b7dd3c25392b428397fbf7cdc437fd998b8f75dfe55c730329f144f

SHA512
248359f1a884f42a9a06f2beac1c24655823cb7e3c76cdb71adeddb63a6c3b6f5bdf75c3fff21f370b771ad059dc9e9f6e8ae7805f65608812946053f21c2c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae22a15d4fbdaf7e79b8bb6a082738bd

SHA1
d51693c18199bf7d53c716c78b2cf29cf5597ee0

SHA256
52c90e75646bbdcc3ebc1af8507d99a5bb19ff4bc19f262289b9cf3b8f196308

SHA512
da46b58ceddca093d886ffb5557f318058fac249ebb64bcd60eca8bfe4a956611d50e403622d9965038df36eef9050c7f7f59de32c837f8f7cd9806b71b88a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
023544ed5dfe0c334d9954e1c2fb119f

SHA1
2f14c5077c8554b40f62bf44899241c6179f4fb2

SHA256
33fffcf1f7f5ff29cd5039186744158afa36bd21f6cecd0f18ec04ac92b6967d

SHA512
c44c87d0bc72c85b2a2373d0fcaacf9f4896511b130a5dc5a8e410e87042bab58b35fe1b25da002b353dc69537b2b962393c65483c366958753daa9ae59a3ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
23865f7e50bea764617ef68d1277f4f5

SHA1
440c0a94a68a64dd034e7c4982e9f3a2561acbfb

SHA256
3c2fe62fe73e4ace7dfae08224e8e339fabecb3a5d9360b22a139d404d241789

SHA512
92334d2ba4c56652af7940d2db032665007227a71e7ef2bfa131773000c6bd514be814e47408da179dcfa352853fe4ac057508b9714242d2c2e8dc2a094705e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8270.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8270.tmp\ioSpecial.ini

Filesize
793B

MD5
ca83c2e9894befc2b21be316099405b6

SHA1
4e85b1ea4dfbf68fc421a8efedb5f10394c79cfa

SHA256
8f04e527624d5fba6173600ea59962dc4fbccf22206ed8ce85900faeae7378be

SHA512
97ac8651fa36de003a33ef4897e99839153827ccc36a5965333ade0dbf61640c2065a62b5f19ce5a122bbd5b9ba88f477bb2aec2564fbf94359ca5b46a72be22

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8270.tmp\ioSpecial.ini

Filesize
719B

MD5
707227c7a7be19317ded238dae24b419

SHA1
7f24b94204393b6ea6fa1181ebda43fba3cdf76b

SHA256
f25061b068a2369f328b77057cb4bb1c68f36cfb1819ed5a43e03e070072c849

SHA512
411e74982b6af7748db28ed48a739f2cbe4a726a668d9568c5082a52176f5230f5c01a6ede5fd6d0583647bb41379497722aa0530ec1aa9c3fd4effdb175bcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8270.tmp\ioSpecial.ini

Filesize
784B

MD5
3bc9b1a7bbe76b9ee9c81a4906341b1f

SHA1
bb5117527ba2d965ecab09b45c77545d302b2057

SHA256
3f8ad608a34978f6b9ae1fd757a1183cff4619b4c484872fbcb3f0ca4e4da229

SHA512
0c7a90dd34862c0bd5d1ed1d56ed084d25aa8f755ab2c8f201238887d1c9a30eebb0e673a0c052ce87e1a8d72c1e302f174bb38e04550bd366352876c04c8d37

Download Submit
memory/3112-220-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/3112-161-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download