ardamax | e69427adf800b7e159974e58fe448623a7c6d256639300ed339d037cbcedeb46

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2025, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe
Size

452KB
MD5

a08cb337ee4ccfc09686ccc94ff56138
SHA1

bea928651c2f4de1db59ab94eeba60c970e41540
SHA256

e69427adf800b7e159974e58fe448623a7c6d256639300ed339d037cbcedeb46
SHA512

3126c1552c6bf779e85ed46fb938dd10fe5e8bcb9c5cfbe1190b02f6a3afb578d09eaf6c5336fba519f92561f32ce312e76cf52f0764812d7d3b1d6ab3a0a13e
SSDEEP

12288:APMCMagGoScmptvV+84GZKNoSF3SW2D9cZ9:APMCMaZcmpt9l4GZKrFiWGs

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023c67-160.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe

Executes dropped EXE 2 IoCs

pid	Process
2628	Decrypted.exe
2884	HTV.exe

Loads dropped DLL 2 IoCs

pid	Process
2628	Decrypted.exe
2884	HTV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HTV Agent = "C:\\Program Files (x86)\\HTV\\HTV.exe"	HTV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HTV\HTV.exe	Decrypted.exe
File created	C:\Program Files (x86)\HTV\HTV.006	Decrypted.exe
File created	C:\Program Files (x86)\HTV\HTV.007	Decrypted.exe
File created	C:\Program Files (x86)\HTV\HTV.003	Decrypted.exe
File created	C:\Program Files (x86)\HTV\HTV.004	Decrypted.exe
File created	C:\Program Files (x86)\HTV\HTV.001	HTV.exe
File opened for modification	C:\Program Files (x86)\HTV	HTV.exe
File created	C:\Program Files (x86)\HTV\AKV.exe	Decrypted.exe
File created	C:\Program Files (x86)\HTV\qs.html	Decrypted.exe
File created	C:\Program Files (x86)\HTV\tray.gif	Decrypted.exe
File created	C:\Program Files (x86)\HTV\menu.gif	Decrypted.exe
File created	C:\Program Files (x86)\HTV\HTV.chm	Decrypted.exe
File created	C:\Program Files (x86)\HTV\Uninstall.exe	Decrypted.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1816	2128	WerFault.exe	84
4976	2128	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Decrypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTV.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0003000000022a8c-7.dat	nsis_installer_1
behavioral2/files/0x0007000000023c75-174.dat	nsis_installer_1

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
2020	msedge.exe
2020	msedge.exe
4740	identity_helper.exe
4740	identity_helper.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2884	HTV.exe
Token: SeIncBasePriorityPrivilege	2884	HTV.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2884	HTV.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2884	HTV.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2128	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe
2884	HTV.exe
2884	HTV.exe
2884	HTV.exe
2884	HTV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2628	2128	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	86
PID 2128 wrote to memory of 2628	2128	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	86
PID 2128 wrote to memory of 2628	2128	JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe	86
PID 2628 wrote to memory of 2884	2628	Decrypted.exe	93
PID 2628 wrote to memory of 2884	2628	Decrypted.exe	93
PID 2628 wrote to memory of 2884	2628	Decrypted.exe	93
PID 2628 wrote to memory of 2020	2628	Decrypted.exe	94
PID 2628 wrote to memory of 2020	2628	Decrypted.exe	94
PID 2020 wrote to memory of 4568	2020	msedge.exe	95
PID 2020 wrote to memory of 4568	2020	msedge.exe	95
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 4396	2020	msedge.exe	96
PID 2020 wrote to memory of 3016	2020	msedge.exe	97
PID 2020 wrote to memory of 3016	2020	msedge.exe	97
PID 2020 wrote to memory of 2240	2020	msedge.exe	98
PID 2020 wrote to memory of 2240	2020	msedge.exe	98
PID 2020 wrote to memory of 2240	2020	msedge.exe	98
PID 2020 wrote to memory of 2240	2020	msedge.exe	98
PID 2020 wrote to memory of 2240	2020	msedge.exe	98
PID 2020 wrote to memory of 2240	2020	msedge.exe	98
PID 2020 wrote to memory of 2240	2020	msedge.exe	98
PID 2020 wrote to memory of 2240	2020	msedge.exe	98
PID 2020 wrote to memory of 2240	2020	msedge.exe	98
PID 2020 wrote to memory of 2240	2020	msedge.exe	98
PID 2020 wrote to memory of 2240	2020	msedge.exe	98
PID 2020 wrote to memory of 2240	2020	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a08cb337ee4ccfc09686ccc94ff56138.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Decrypted.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Program Files (x86)\HTV\HTV.exe
    "C:\Program Files (x86)\HTV\HTV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\HTV\qs.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffd951746f8,0x7ffd95174708,0x7ffd95174718
      4⤵
      PID:4568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,13889811180747284585,11839603886750175726,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
      4⤵
      PID:4396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,13889811180747284585,11839603886750175726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,13889811180747284585,11839603886750175726,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
      4⤵
      PID:2240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13889811180747284585,11839603886750175726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:4388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13889811180747284585,11839603886750175726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      PID:560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,13889811180747284585,11839603886750175726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
      4⤵
      PID:940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,13889811180747284585,11839603886750175726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13889811180747284585,11839603886750175726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
      4⤵
      PID:644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13889811180747284585,11839603886750175726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
      4⤵
      PID:4472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13889811180747284585,11839603886750175726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
      4⤵
      PID:3812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13889811180747284585,11839603886750175726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
      4⤵
      PID:3600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,13889811180747284585,11839603886750175726,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1268
  2⤵
  - Program crash
  PID:1816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1188
  2⤵
  - Program crash
  PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2128 -ip 2128
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2128 -ip 2128
1⤵
PID:3592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HTV\AKV.exe

Filesize
411KB

MD5
38defc8742dcd7b684e5ae1193e7e668

SHA1
5710271eb398f63f0f0b209c46460ff9665df9bb

SHA256
b74a277270efc272bef1e264dc11289b7f13c651ac7640745df46bf6792c36d1

SHA512
46cc4b677af570905ac0c36b4e85030a618cefd6e4eb4eb4fc850ad2df45c14233024f0aa655e28649212aa42bf74499a91a682750748f75132aa18d1464cb84

Download Submit
C:\Program Files (x86)\HTV\HTV.003

Filesize
4KB

MD5
102f90f4f42551b2acd64923065a2b56

SHA1
18bbbd1a10b603e05816f5a2baf9a6bed74346a3

SHA256
623f4b9a4910c8815d2ab19696668258ff2c30c3adac8967d616f7e60ec619fd

SHA512
2c8338799bcd64083dbe8b0e763424962dd024c52996bae590500b7d844595b539549b6c239f68f3866d5fda9db10808e8e9b489031a1e942bc34277f9a1d9d3

Download Submit
C:\Program Files (x86)\HTV\HTV.004

Filesize
14KB

MD5
3477d480e0926c0e1db268c45e89ef34

SHA1
79fe98f09535ac519f6eb17e93671a98f83f8daf

SHA256
1be93d875cd8a60f074c1be0c6decee3026bb16489815c75f08e1d5dbd7d0786

SHA512
9b4f71e669c341d743143c63265f2e46c61b68c77e4bdf8a337e5fced3afc183a516c06e4c022e4b96c510b6478120376e5a3cd504a8da148026c8ccbc61ab1c

Download Submit
C:\Program Files (x86)\HTV\HTV.006

Filesize
8KB

MD5
e44628a2b8e2044ebb635eed3d5f79d9

SHA1
87120d6466ae60ea0df734c578f371c5c77acf3a

SHA256
6742a87a0df8e620ff5314729c94cfaa738daf172220868cb748b09bb4e72ca4

SHA512
ab1ec2ced331a14d60976338715cb9a09144b784d5c3fbcee139e85f843cab9aaa6627ae7a2f7f9d82cda5297fcc045e97385639397acb252bb18ebf315db37e

Download Submit
C:\Program Files (x86)\HTV\HTV.007

Filesize
5KB

MD5
75d6279af7fa9545ba7b7b01a85d2e12

SHA1
2fa39502b0aaa872712068747ff4f0800e955898

SHA256
189a54410440caab60ed99dadf5fed2edcb0d36e5ed3e9a59be41026662bbc0e

SHA512
26c21d6e68fef49d988d4e20da9df164760318087752d4d872275efdc0c667fc31426a916acb8eeb65a0acf20ce3bd3c8953bd34cd83cc46cf44c329469f2ae9

Download Submit
C:\Program Files (x86)\HTV\HTV.chm

Filesize
33KB

MD5
227bd05542ae9a4b1921fcaef782a296

SHA1
6a871be45e260b2b453a9023ed21d902264e41a8

SHA256
9d5f4d6deeaf6c0790f56fd4d08f85c08c2cc1a904e72e3247e8899b9594e589

SHA512
3e46d6fdbaf6ecb1a87cf21f0488626a12d3261e2fe3f95f4ece57730ba8d1e380e739c075b77f11c72f9ec32d8b6d283b88c0986bca97f9df91924289fe6e38

Download Submit
C:\Program Files (x86)\HTV\HTV.exe

Filesize
526KB

MD5
c4e65cee2c8eaf4a4c03852192f49156

SHA1
7c7b416d08056e2ecf215a6ce7126cf74ca3d87e

SHA256
95b5415e32ec93a15a060b6e461151632764cc7693e9d3525e495aa3c9ae1fb0

SHA512
59303381117ced1d99f67fbb10921e34f7ba066edb937ae6e27262941772a48fbe40b861a2954a1e40160b0661f1e2140377ee128ba9600715f6459b65c1bd72

Download Submit
C:\Program Files (x86)\HTV\Uninstall.exe

Filesize
43KB

MD5
36d61f16851f6ff7537cd672cde19c57

SHA1
278e894d2e0840fbc64f0dde1a446e38999976c1

SHA256
9596a187b40bde4dc4d2785eb4a7d1fcdb4e9ab942a045992a0cf1d498d19c41

SHA512
5eb310223e82af0d74745c384ba032e7e93c612faca5ae961a59e36a3c93b382dfdc060b411adcac68bdb2483042b8537819d9c90715a5b133cb9f9fff56e478

Download Submit
C:\Program Files (x86)\HTV\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\HTV\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\HTV\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk

Filesize
1019B

MD5
033486416bd3f55f22e4e091dc711217

SHA1
ca43b447f425c9b00e3d9b5ab5a656fd1c8896a8

SHA256
8770d7a3afc1356224859a8f487b4032ded58dcbc982052f1e5f3afafbb57cc5

SHA512
7ab9139244d989b2a7a347960c010368c29dc93d08a5038009b274fd7c87a7e999c33c404cfa0a17b7f4c7a87a4db3954f784a15c3cc22df14d36a23a70cf0f6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk

Filesize
975B

MD5
f49be197827b084c5a6bdc7ec6c420c2

SHA1
decbefe7423865ec84cf4717f521bea5db7ceb0d

SHA256
b95fe5bc76079902c81087650591a3fb57b7544227e1e7c418b65a034107df8f

SHA512
f0108f7c741eb5e666e32e83d0ebab8ded92187513a11731d91fdc148ba30da92c9c48c50f69853e813b3a2cfcf93e1e42f9fb8779b5f89cf862b46e85b24cec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk

Filesize
1KB

MD5
8d9bc1317b087075c4d93c0a98778266

SHA1
9ea173c047abecbfb3adcb42e8bff111eeea1048

SHA256
80daa7171dc86e36c4c5142232f089791f514cc598cbed00fb21efc153d39cd6

SHA512
586521d251521f8166c56bba1739ca51345fa123a079f6a31754d9ed53bcd89cde09022f2ffaa78e7b118755eb0f21538be4f9b66e04f13472cea64e96ea2983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
709e5bc1c62a5aa20abcf92d1a3ae51c

SHA1
71c8b6688cd83f8ba088d3d44d851c19ee9ccff6

SHA256
aa718e97104d2a4c68a9dad4aae806a22060702177f836403094f7ca7f0f8d4e

SHA512
b9fc809fbb95b29336e5102382295d71235b0e3a54828b40380958a7feaf27c6407461765680e1f61d88e2692e912f8ec677a66ff965854bea6afae69d99cf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bc29044ff79dd25458f32c381dc676af

SHA1
f4657c0bee9b865607ec3686b8d4f5d4c2c61cd7

SHA256
efe711204437661603d6e59765aba1654678f2093075c1eb2340dc5e80a1140f

SHA512
3d484f755d88c0485195b247230edb79c07cc0941dedbf2f34738ae4f80ba90595f5094c449b213c0c871ade6aff0a14d4acfe843186e2421ccbad221d34bf54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27cf613069e638905d0ff7a8b814111c

SHA1
85a6b86f5a2a265f54dd8dea83ff6ad6d2654a9b

SHA256
020953b327cf3cce93c4e7ab4178cbb10ac4cd137c2baa11acefb1341680a430

SHA512
04e529372612625f8d95c5b48e84574fbea7805bbd93fbbb415c669e75b49b2b3007cb8e72aa3bf91bd9d3f9bf3a29f1225c1d4ab9fc53c85912bf48d83debf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
863dbe6d12b89c91a52ee3c97ca5e45a

SHA1
f7bdddc211bb1cd1467f4e78111b85dac2eb9f8b

SHA256
23a93a6d474851ffee9cba229f638bcd353cd86f9e553dbcccc91f203944af7a

SHA512
e96a58dcd299a209862846ec4b1d209e328818a17362823ba3eac952f1b201b1b8c16f2570df727c71d796a614118f129e7cb93aab3c4debbcdc54555fe238d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d75c4b3afd8bd6ae6ca2afb0d6245148

SHA1
943db392413754c4e408ecc831d72c5423362713

SHA256
1e558956e710bcd21ce40ebc016bf6f309f55df5c8f4879dc13543bfba7c538a

SHA512
5ed6487d87cd5832064c4a3e8be6dab52832d0623cbda41dae91584150fb70aa62ff49c002f80d49844f5d35dcded227ece15c60cad6743a77f61034e801a9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decrypted.exe

Filesize
432KB

MD5
eca6bbd19ddcdd12e49561538fbaba17

SHA1
4c95e5c51fb3a49734f21437a5a010ee83849f50

SHA256
6ed2759f8fb3578ec61f19f6198240b07819dff80938ffa6d8f7b43dcf03b40e

SHA512
7309e9e2805c2a757b140e92d2ecfa747409840232b4d7471c340bae2549670125b1a30add04d93390d68ba33e65032bad0b43188269704ecaf6ddab60c79aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB529.tmp\InstallOptions.dll

Filesize
14KB

MD5
32aa6334fc543e70ef0f792bb9a0c45a

SHA1
54be1f5004f7e5afe7c9ba160495076ea2a4d60c

SHA256
610e54bcfc2831d4f9d7030ceb16d35ee33006403d842f01b6e75bebea0083e2

SHA512
ac92116821a032de8df64bf9aea9c6ba4040467eebaa4e028c2bf031f1c81bb69531288b9d89d951b952fe0b4ecccade874a5ae76d04db8b4dee2d13c486f9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB529.tmp\ioSpecial.ini

Filesize
793B

MD5
d128966be7b7042a3493956b298224e0

SHA1
6e86a5511c4a3cbd59a0dfbabf2d9e4616f4e4cf

SHA256
064d75a15a250ff47bf74d832890d964d1c84b995a0fc4d0008d00d654c6d338

SHA512
c66a507556a6efad7a3650f36cc883ac904df61b8e4e146c92231fefb73569e4802f979a7a1e50231773b68892aa4866938d4613873ee101fdae690ef935c0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB529.tmp\ioSpecial.ini

Filesize
719B

MD5
0eef74777e7504d0e7f7fd0ab4ef96f3

SHA1
d1c7a9ac7b476f145ff2770f33aa899fb790c4bc

SHA256
981108169511861e8267110774ae3bb024aeb713d5c7ed9d1547a692e139afe1

SHA512
402ae93209b682442411432214eccfb305127424cf143fcd330271c08637da030eec254efb7251831211febb553dc4141bd580a10e75973a8baa53cadec40689

Download Submit
memory/2128-18-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2128-0-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2884-244-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2884-179-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download