ardamax | e69427adf800b7e159974e58fe448623a7c6d256639300ed339d037cbcedeb46

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe
Size

452KB
MD5

a08cb337ee4ccfc09686ccc94ff56138
SHA1

bea928651c2f4de1db59ab94eeba60c970e41540
SHA256

e69427adf800b7e159974e58fe448623a7c6d256639300ed339d037cbcedeb46
SHA512

3126c1552c6bf779e85ed46fb938dd10fe5e8bcb9c5cfbe1190b02f6a3afb578d09eaf6c5336fba519f92561f32ce312e76cf52f0764812d7d3b1d6ab3a0a13e
SSDEEP

12288:APMCMagGoScmptvV+84GZKNoSF3SW2D9cZ9:APMCMaZcmpt9l4GZKrFiWGs

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000192a9-27.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2976	Decrypted.exe
2596	HTV.exe

Loads dropped DLL 16 IoCs

pid	Process
2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe
2976	Decrypted.exe
2976	Decrypted.exe
2976	Decrypted.exe
2976	Decrypted.exe
2976	Decrypted.exe
2976	Decrypted.exe
2976	Decrypted.exe
2976	Decrypted.exe
2596	HTV.exe
2596	HTV.exe
2596	HTV.exe
2596	HTV.exe
2596	HTV.exe
2596	HTV.exe
1784	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HTV Agent = "C:\\Program Files (x86)\\HTV\\HTV.exe"	HTV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HTV\HTV.001	HTV.exe
File created	C:\Program Files (x86)\HTV\HTV.exe	Decrypted.exe
File created	C:\Program Files (x86)\HTV\tray.gif	Decrypted.exe
File created	C:\Program Files (x86)\HTV\HTV.003	Decrypted.exe
File created	C:\Program Files (x86)\HTV\HTV.004	Decrypted.exe
File created	C:\Program Files (x86)\HTV\AKV.exe	Decrypted.exe
File created	C:\Program Files (x86)\HTV\qs.html	Decrypted.exe
File created	C:\Program Files (x86)\HTV\menu.gif	Decrypted.exe
File created	C:\Program Files (x86)\HTV\HTV.chm	Decrypted.exe
File created	C:\Program Files (x86)\HTV\HTV.006	Decrypted.exe
File created	C:\Program Files (x86)\HTV\HTV.007	Decrypted.exe
File created	C:\Program Files (x86)\HTV\Uninstall.exe	Decrypted.exe
File opened for modification	C:\Program Files (x86)\HTV	HTV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2376	2280	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Decrypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTV.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000012117-5.dat	nsis_installer_1
behavioral1/files/0x0005000000019629-44.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000007417315e75c2a4387d04d5e1819600200000000020000000000106600000001000020000000e6d7375a40dfcd4cd61138f1f776b229e23da3d5757c384d5db1d3b895867b9e000000000e8000000002000020000000dbd66f91d701e9472ef44744dd460d8f733531d83073f32c92779478ab0e2a45900000003f0e27188e5c8f8e6d54949b3156f55e90430ba95866aedfff308c6786d10cf97ea13a6b89b491e872e8a030be1ddc2c08a87c99870c30e5a8ccd262873220d8ee7de45b6cd5e3469f64723ef30065da0d0d6336c13eb15803f32c6359645a97915860ca87c0838f6aca5d2965f71665f99d2946ca61d64334a93b43e5802941aaf870783fcc7d15b8cac216ce61896040000000338e79b32599c70ffbbee3b7cb6603571d0d6dba5c89fe3a79acb91a8f3cb4b7ce77153bac291b4d807750b90ea65055037342ecb90bebc2ec5e67a29c5c40dc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 604d87d2da77db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FE148061-E3CD-11EF-9CB9-62CAC36041A9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000007417315e75c2a4387d04d5e1819600200000000020000000000106600000001000020000000b618b3bc08c3f27c8a81e775cb95d4227c9a83dda2ecbc878febbd432202652f000000000e80000000020000200000009897b060aff2a0a61135597c9e07868a5898ea81ee55718c83a4ec7a8118d98f20000000f2a9fcc72adcf1bcd060df673350195626f0dbd6dd983800910d7871ccef281940000000c83b5cd64bc05b4aaa0f6735de68943dbb6f321dbdbed6face3c51f54356ba27baf194bd88ad5ec2b18e236ee7623dd596be9ac9ecd3aea5ae9611141ec4f74d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444927802"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2596	HTV.exe
Token: SeIncBasePriorityPrivilege	2596	HTV.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2596	HTV.exe
380	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2596	HTV.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe
2596	HTV.exe
2596	HTV.exe
2596	HTV.exe
2596	HTV.exe
380	iexplore.exe
380	iexplore.exe
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2976	2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	30
PID 2280 wrote to memory of 2976	2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	30
PID 2280 wrote to memory of 2976	2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	30
PID 2280 wrote to memory of 2976	2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	30
PID 2280 wrote to memory of 2976	2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	30
PID 2280 wrote to memory of 2976	2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	30
PID 2280 wrote to memory of 2976	2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	30
PID 2280 wrote to memory of 2376	2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	31
PID 2280 wrote to memory of 2376	2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	31
PID 2280 wrote to memory of 2376	2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	31
PID 2280 wrote to memory of 2376	2280	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	31
PID 2976 wrote to memory of 2596	2976	Decrypted.exe	33
PID 2976 wrote to memory of 2596	2976	Decrypted.exe	33
PID 2976 wrote to memory of 2596	2976	Decrypted.exe	33
PID 2976 wrote to memory of 2596	2976	Decrypted.exe	33
PID 2976 wrote to memory of 2596	2976	Decrypted.exe	33
PID 2976 wrote to memory of 2596	2976	Decrypted.exe	33
PID 2976 wrote to memory of 2596	2976	Decrypted.exe	33
PID 2976 wrote to memory of 380	2976	Decrypted.exe	34
PID 2976 wrote to memory of 380	2976	Decrypted.exe	34
PID 2976 wrote to memory of 380	2976	Decrypted.exe	34
PID 2976 wrote to memory of 380	2976	Decrypted.exe	34
PID 380 wrote to memory of 1784	380	iexplore.exe	35
PID 380 wrote to memory of 1784	380	iexplore.exe	35
PID 380 wrote to memory of 1784	380	iexplore.exe	35
PID 380 wrote to memory of 1784	380	iexplore.exe	35
PID 380 wrote to memory of 1784	380	iexplore.exe	35
PID 380 wrote to memory of 1784	380	iexplore.exe	35
PID 380 wrote to memory of 1784	380	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Decrypted.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Program Files (x86)\HTV\HTV.exe
    "C:\Program Files (x86)\HTV\HTV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2596
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files (x86)\HTV\qs.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:380 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 480
  2⤵
  - Program crash
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HTV\HTV.003

Filesize
4KB

MD5
102f90f4f42551b2acd64923065a2b56

SHA1
18bbbd1a10b603e05816f5a2baf9a6bed74346a3

SHA256
623f4b9a4910c8815d2ab19696668258ff2c30c3adac8967d616f7e60ec619fd

SHA512
2c8338799bcd64083dbe8b0e763424962dd024c52996bae590500b7d844595b539549b6c239f68f3866d5fda9db10808e8e9b489031a1e942bc34277f9a1d9d3

Download Submit
C:\Program Files (x86)\HTV\HTV.004

Filesize
14KB

MD5
3477d480e0926c0e1db268c45e89ef34

SHA1
79fe98f09535ac519f6eb17e93671a98f83f8daf

SHA256
1be93d875cd8a60f074c1be0c6decee3026bb16489815c75f08e1d5dbd7d0786

SHA512
9b4f71e669c341d743143c63265f2e46c61b68c77e4bdf8a337e5fced3afc183a516c06e4c022e4b96c510b6478120376e5a3cd504a8da148026c8ccbc61ab1c

Download Submit
C:\Program Files (x86)\HTV\HTV.006

Filesize
8KB

MD5
e44628a2b8e2044ebb635eed3d5f79d9

SHA1
87120d6466ae60ea0df734c578f371c5c77acf3a

SHA256
6742a87a0df8e620ff5314729c94cfaa738daf172220868cb748b09bb4e72ca4

SHA512
ab1ec2ced331a14d60976338715cb9a09144b784d5c3fbcee139e85f843cab9aaa6627ae7a2f7f9d82cda5297fcc045e97385639397acb252bb18ebf315db37e

Download Submit
C:\Program Files (x86)\HTV\HTV.007

Filesize
5KB

MD5
75d6279af7fa9545ba7b7b01a85d2e12

SHA1
2fa39502b0aaa872712068747ff4f0800e955898

SHA256
189a54410440caab60ed99dadf5fed2edcb0d36e5ed3e9a59be41026662bbc0e

SHA512
26c21d6e68fef49d988d4e20da9df164760318087752d4d872275efdc0c667fc31426a916acb8eeb65a0acf20ce3bd3c8953bd34cd83cc46cf44c329469f2ae9

Download Submit
C:\Program Files (x86)\HTV\HTV.chm

Filesize
33KB

MD5
227bd05542ae9a4b1921fcaef782a296

SHA1
6a871be45e260b2b453a9023ed21d902264e41a8

SHA256
9d5f4d6deeaf6c0790f56fd4d08f85c08c2cc1a904e72e3247e8899b9594e589

SHA512
3e46d6fdbaf6ecb1a87cf21f0488626a12d3261e2fe3f95f4ece57730ba8d1e380e739c075b77f11c72f9ec32d8b6d283b88c0986bca97f9df91924289fe6e38

Download Submit
C:\Program Files (x86)\HTV\Uninstall.exe

Filesize
43KB

MD5
36d61f16851f6ff7537cd672cde19c57

SHA1
278e894d2e0840fbc64f0dde1a446e38999976c1

SHA256
9596a187b40bde4dc4d2785eb4a7d1fcdb4e9ab942a045992a0cf1d498d19c41

SHA512
5eb310223e82af0d74745c384ba032e7e93c612faca5ae961a59e36a3c93b382dfdc060b411adcac68bdb2483042b8537819d9c90715a5b133cb9f9fff56e478

Download Submit
C:\Program Files (x86)\HTV\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\HTV\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\HTV\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk

Filesize
950B

MD5
7d74c2e4e90c06b1e32eb41f37a7a1ee

SHA1
1235ba7817be15f7a6cb4e4754114a2915f50b82

SHA256
8562bb6e945ac15841c53da19105e6cecb53687e969320aeeb7e982de6633439

SHA512
bf62397e0fa034b58f8ae54cab10f6e9bf3e179348957f7bf0ad36ac1e6d4bf1f6c55a48213cc124c45fbf7768fb991067a5433d0c50245922750827679e47e8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk

Filesize
906B

MD5
28df3e36622201199816ea830e1a4fcb

SHA1
add22409d9bd04e02acd6a2a21a51ddce3b8bec2

SHA256
b89be775700bf30e08cda0ceced8dc6919893cd215ac9e76705eaf5fc6da9456

SHA512
63393bdda3b8cad2218e97247ec4661fdb41cfd8e80bfc853d1e21f77c40cd2d33558cdb0f0ea62e672ac7c356c76cde6c9ef61cea7bd0c3ac54a31ef00dc714

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk

Filesize
964B

MD5
99ba4657087b81f46e9c56e59db703fb

SHA1
2b255691c69227b6f53f5095c232963ccb787f1f

SHA256
99f11d644acd4cc23f29f6fc4626ff54eba24ca4fc128567778751f7fc3a28e0

SHA512
427bd10316b784e69c5b70603cefa1a5d1b106e610b153f9c4db6a198845d3494205bc7c10c084aef4fb21087ee9f093ccc1e87c716cc9fe9b8423757f9be0f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f5495018b65279940f4ba4aae44f10f

SHA1
fcc9dc3359fdf83b40c78440fddb77554eabc857

SHA256
ff832b8133873c5255d192bf934ce95008f766086e0a74e2cd3e01697db51c11

SHA512
732d1b8f211a778ce0ecfaa6107badf824790912070c1e48e6c1e9fba512bf1dc4c40a6228c01b7b8ccc71147e311327aea58dd439d554fad36d3baa7de76ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2327d3097da129ff947cc61121f7712c

SHA1
f7f9362b05c5d123764fd2db4ae98fd4795fdcf8

SHA256
583812cfc446a7472331d0d4cdb6a6ae4af14c00bc8c5d9fc6e158796f973192

SHA512
7f21103f86d0d4c7339a594c57b3909b3249f58251559927b49216a93317ea8d25359b732a8c314b17fad74c2cd4da3df4cc2456ea9082d5d0857331f0225a87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d29987ec671a1e24618a49690f3c5331

SHA1
8c1ab9d3d2496f6aa4539cd35135286cf9699e9f

SHA256
5f1390a0ff0ba37eaf33418dc3211c4669844e17bdfeb0412db7f3dc0222e79d

SHA512
7eb917b7b5cca4329742808349bafc371d7e91e0532330bff2fba8bb52a468779503fed880bf565b4efbd7330442f711a5ab8edf51272c18a8e8e6992fc4d5c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
467e274bbdde3849feb94e22dc9dda77

SHA1
96bf7c73e2682bedad76e23ca1d782733ce67a34

SHA256
b0d61780020ea0830a18b4c7eba934971aa2d7612074634237b637c905355dbf

SHA512
4c0118bdf6914020f45f182dc711c2dbef71296bfc12efef452c7df791baa37c167b82571351e1bdd1c6103113d753b72c5184b9dee98dd2cc565035b1e99521

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
467de235667802f1cf426b1b851d267a

SHA1
b31f6ca2b5f694399c325e041a0e0b3d1b2322bd

SHA256
0387c68ea52d8028248716c8cfd882d3c4bc5e162b12b2e343fa15df81a289c2

SHA512
b643af28a1e966312e15edca2747a4b281b5c41679593d6a1967f455cbaf0a6765dba63534b16e00de8ebed57ff3907beadc14638b9b9be43e61335429739c98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37611a71a4aae6b48b10bdce41b6fcef

SHA1
2122afed52d0cd65edf45b5f455f15c96e96ca1e

SHA256
56923e0c06b98c2f0f5c2c9de2af1c80ed0332ba18d676346ed5c03883f5be3f

SHA512
6bfdb03f393fd89ccc390e8047ae251defe4b91d6f460a89a48c000dc5f2950f97bba5d9cf5d7d212db1fe7bce6d6c89d64e66bd0b2778ed24192cd40ada28b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7adcb40470a13714f0869c3f666f14d

SHA1
1bc210f39bc6d14c5e9a9b858a2517620c04eddf

SHA256
79947a101541a24447b7b3d4c463520d53f87d18097d97887f6967b121c4b1b3

SHA512
07519d684cbba1a029f9ef3642a80f7aa94e058603e01f17d31063460848e873f328599c11c4740b8669cc06bb8a0718821eb3a696bdf1f37a2c4db21c3e4500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3684b1a926d3e2b110294874836814fa

SHA1
79a0af725bc96db535d7d336ea63d3acbc9a1f9d

SHA256
87d817605d7af83f58eb69c21a762f30b201961045fe890910c0c87088294515

SHA512
31011f060f72105739ae98de34a529dd07553540fda03d4473308dfa1f9f5c8b18da8c35d73050432fd2b8084b09e40dd77aa803f0790cb13d1e4fd43309e13e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6514e3a9f3d6b45f5e2b681bfff769a

SHA1
29b5c89f33d36d8d9f2ec78aa724bd692882621e

SHA256
6e506f57b136aaca6ba0c9fad39dac6e0338c6d6dec0b66e773a98482ee8bc99

SHA512
7e5f38393cb02b79ca46617e8137ff4d08764d0de34b075f5eba575ab2f9ab7012c9549a29255c4643b9dd9b31d23320c9ee700cc5d083704ff197c56a6616e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96f20cf6939bc57ca1e3d9ed842d7dc8

SHA1
8c36218b24623892f5a017e0ea47f005721e997d

SHA256
75f4a663650111b2592341e7f7d3a33ec525b2ff00a6cf95b731a71c1394c427

SHA512
3dd51ac9d23554b7df53f2682b68d0ace2dfbab56f0c04c92a08fb9536d85908207b1fafac314e9ed1fb97395a561160d29280e0902314ec975602ca0cba5b10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99c665efc66a80b0e15486129008341e

SHA1
925a4d7dddc7de25641caa0c31dab3a4d22241f5

SHA256
38863ed3ae419df87b3fef0fc8002d961f1a48ebaabcc283839d76ae35ebec42

SHA512
86503bb021924532b925c8e05220bbada926d4f9a0ddd33b1707349d973ab6994535ffedcbe16321e7ec4b74e9b53cbc2ebd6f5e12f04b606b879909244d35ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
778d1d021f8c8f85bc487df6cafbf673

SHA1
5aac89e4f61b8c97f6352bfaa7939393821107de

SHA256
adadf87b5a2a056a935586f51de426aa6b825d46204145d83f3f247e1f19dc96

SHA512
63376abffc559bd26e30a4f3e782221a05c8f9249a099c617da5aa4391b53083247f3c51a9eb1dd26f6c643224b4ed7e0c0a5caf8a5114694160ca2ca2e69d37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13cbd7dcf6f6708923ff64f09d399fa4

SHA1
27d75193e3c6780e4cbc5adbaff26add20d578c5

SHA256
cdbc28791dac870028fe738274bf6a3e748019abddbeee0d491123fb8c6aa812

SHA512
a9fe395071b84efa02f0482b36c3bcb9692df18020dec16b5447895ba6f0232a31ec2d5b5c38ab1d6344929666254de2d272c1e033784ec70befd4702288c35e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c306b86e7ccc27dd7b9c615440145602

SHA1
4f8369d123892027bcf5613b7202fcd47bd3152c

SHA256
cbda67cedcdf2bd2d19534391ebb21ea67c72aeb392a3aba84a27a3f583dbd4f

SHA512
17440ccbf38f18b057d245e7efa5118a4fe95f7784580528d6b1bd5b695298081612bbd2ad80116ab6d6918e4722bbf9c417ffaeea2803b32dd6d49e3b7db69e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d409cf3af6d00da2ea1ce1cf9ca4e9dc

SHA1
0502e73c3777f37e550d30a0e907bb2d4bcad2d3

SHA256
ef8914dd537cffa376123ebb9f2feb5e61cbbaa0ce009e21985373e3e59ae732

SHA512
8c8be07d23f0612deb3358a78f7fa8ca29b38dc969884b618c7112ce89bcda1a744efec9da16971dd0b605eb6553b2d0f77ac44dc712fbb7a236ce41a749dce7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8cfe6de98686ac759b0237ab1cb57e9

SHA1
1dfb4812b26f31f6c5d33c2e4acbd2d63081c92b

SHA256
c7bd253b98b7f457c052b9ad21fa3ebffd5bdcae3cf45736439037932f373348

SHA512
05c0d26561128d11ac0b6af1a16817080e7d7b9ceb314b1f924c195a277e0ae382a54b9df7911a59f99a94aa5c8ce0005363dcfeec4a465a4fab638a496611b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c641cad8d844e920a3696599bc4e222e

SHA1
7a46fa1028ce26baba88e389559ef39d810c7d6a

SHA256
cb88d3b00af0346d209aeddeb754fff3df902bf2d14bd6133ff15cf3fea1b400

SHA512
9244c709629f261b33759c3379ef23675e5eb3653573a5d158a26fe50c9ba61ef4b1dcbd80ecb694b22d7e07e11d090008f96fc7a07f8d84cf5cfa5d6522fa7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd645fcb04115658ddfee9c04cdae60e

SHA1
9d18de938bf64535af231a16eeac8d1b5041e668

SHA256
68f8bbad736ca142235c280ae65202cda99785ba594ab991fcb780ab7e76fce6

SHA512
d0f9dda9152b8eee68999abd2366569454fcf9118b0637ba990a7cfa284af877ded4fc93886734a0680fdb668d36431240d276477e8cde73039ed70daa7ad144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0f98e933f61b7bd1df81909d77d362c

SHA1
c5377b0ef9e42d73028b40bd9e70eb8ed4c55692

SHA256
9c46cb38dfe6ad5f40db0b71123498f162775bbf93819d1f8352e79520b0ee9b

SHA512
efc53c9340e08ade6f5ffda3ebea06d30b1e352c8155dfee30aa805a266b25dc079a8c2747b261bdc56f8bdc242a17f022e3b73cbbeaf5fa356eb47b01cbd60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab321B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar32CA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstADAF.tmp\ioSpecial.ini

Filesize
719B

MD5
d16542b73ac9b3a4896671387ef1e590

SHA1
2cf0859a8a45c9c016f0b6f806945c937fdaa81e

SHA256
ec3af60e2be3f91f877a97a321147f5218ab5c94a6984e9c011f6ebb32426bcb

SHA512
87a888ea2d11902d4af491819f7165094f395ac89166164f9c93c945717c187961d4d5bae79c67390bd14e36a83a10ac53e8d33a8a980d99d5442a0f08c449ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstADAF.tmp\ioSpecial.ini

Filesize
784B

MD5
24cb1f67ed4194b6fb23f0c3202a9c61

SHA1
a72d6c8ef7e8b4da673bb3859860a9461e8013bf

SHA256
590e2c4c81531b7fd6ce0a058e15191e6d830c8f2af73aa0a0e0d0d239005aab

SHA512
70efdddb590f87ac29a0777f0a1608e021dec85e2846ae854ccb7d33eb57992ec1c0e9a93663f2f4f85e5f3ff9e072a6c3f3b6f799321a40c62c299c7d924e0e

Download Submit
\Program Files (x86)\HTV\AKV.exe

Filesize
411KB

MD5
38defc8742dcd7b684e5ae1193e7e668

SHA1
5710271eb398f63f0f0b209c46460ff9665df9bb

SHA256
b74a277270efc272bef1e264dc11289b7f13c651ac7640745df46bf6792c36d1

SHA512
46cc4b677af570905ac0c36b4e85030a618cefd6e4eb4eb4fc850ad2df45c14233024f0aa655e28649212aa42bf74499a91a682750748f75132aa18d1464cb84

Download Submit
\Program Files (x86)\HTV\HTV.exe

Filesize
526KB

MD5
c4e65cee2c8eaf4a4c03852192f49156

SHA1
7c7b416d08056e2ecf215a6ce7126cf74ca3d87e

SHA256
95b5415e32ec93a15a060b6e461151632764cc7693e9d3525e495aa3c9ae1fb0

SHA512
59303381117ced1d99f67fbb10921e34f7ba066edb937ae6e27262941772a48fbe40b861a2954a1e40160b0661f1e2140377ee128ba9600715f6459b65c1bd72

Download Submit
\Users\Admin\AppData\Local\Temp\Decrypted.exe

Filesize
432KB

MD5
eca6bbd19ddcdd12e49561538fbaba17

SHA1
4c95e5c51fb3a49734f21437a5a010ee83849f50

SHA256
6ed2759f8fb3578ec61f19f6198240b07819dff80938ffa6d8f7b43dcf03b40e

SHA512
7309e9e2805c2a757b140e92d2ecfa747409840232b4d7471c340bae2549670125b1a30add04d93390d68ba33e65032bad0b43188269704ecaf6ddab60c79aaf

Download Submit
\Users\Admin\AppData\Local\Temp\nstADAF.tmp\InstallOptions.dll

Filesize
14KB

MD5
32aa6334fc543e70ef0f792bb9a0c45a

SHA1
54be1f5004f7e5afe7c9ba160495076ea2a4d60c

SHA256
610e54bcfc2831d4f9d7030ceb16d35ee33006403d842f01b6e75bebea0083e2

SHA512
ac92116821a032de8df64bf9aea9c6ba4040467eebaa4e028c2bf031f1c81bb69531288b9d89d951b952fe0b4ecccade874a5ae76d04db8b4dee2d13c486f9ae

Download Submit
memory/2280-0-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2280-20-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads