ardamax | dd95ff1cd98b08e9c099e668053ce125c5feed1820d8e1b1f03b422010417b00

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2025 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
Size

417KB
MD5

c69a4d5254922580b97027536e71354f
SHA1

65af75ea166bfeb08774967e4aa61dc1810e90f2
SHA256

dd95ff1cd98b08e9c099e668053ce125c5feed1820d8e1b1f03b422010417b00
SHA512

c86b4bc19816f700c4ba01521b227b5651c1dd93960dce1902b1cb6aca668ff71cf88a33ae22cfeb47020d87398cdc18e6563b78a6cfd922f71b8f48c7a5fcbf
SSDEEP

6144:j8PoYDUEeS6nca0WPwduwuh/u/mZpZg0a6itWkJZpVpBpeFTBjzP0UPQ4KNICn8e:3YUS2hVEuXwb6iI2lDpeFtzP0riCCg

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023cf0-149.dat	family_ardamax

Downloads MZ/PE file 1 IoCs

flow	pid	Process
31	2900	Process not Found

Executes dropped EXE 1 IoCs

pid	Process
3840	HTV.exe

Loads dropped DLL 4 IoCs

pid	Process
1968	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
3840	HTV.exe
1968	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
1968	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HTV Agent = "C:\\Program Files (x86)\\HTV\\HTV.exe"	HTV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HTV\HTV.004	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
File created	C:\Program Files (x86)\HTV\AKV.exe	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
File created	C:\Program Files (x86)\HTV\qs.html	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
File created	C:\Program Files (x86)\HTV\tray.gif	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
File created	C:\Program Files (x86)\HTV\menu.gif	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
File created	C:\Program Files (x86)\HTV\Uninstall.exe	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
File created	C:\Program Files (x86)\HTV\HTV.007	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
File created	C:\Program Files (x86)\HTV\HTV.003	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
File created	C:\Program Files (x86)\HTV\HTV.001	HTV.exe
File created	C:\Program Files (x86)\HTV\HTV.chm	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
File opened for modification	C:\Program Files (x86)\HTV	HTV.exe
File created	C:\Program Files (x86)\HTV\HTV.exe	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
File created	C:\Program Files (x86)\HTV\HTV.006	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTV.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4928	MicrosoftEdgeUpdate.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a000000023d05-160.dat	nsis_installer_1

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4764	msedge.exe
4764	msedge.exe
984	identity_helper.exe
984	identity_helper.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3840	HTV.exe
Token: SeIncBasePriorityPrivilege	3840	HTV.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3840	HTV.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3840	HTV.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3840	HTV.exe
3840	HTV.exe
3840	HTV.exe
3840	HTV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3840	1968	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe	90
PID 1968 wrote to memory of 3840	1968	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe	90
PID 1968 wrote to memory of 3840	1968	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe	90
PID 1968 wrote to memory of 4764	1968	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe	91
PID 1968 wrote to memory of 4764	1968	JaffaCakes118_c69a4d5254922580b97027536e71354f.exe	91
PID 4764 wrote to memory of 4568	4764	msedge.exe	92
PID 4764 wrote to memory of 4568	4764	msedge.exe	92
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 1924	4764	msedge.exe	93
PID 4764 wrote to memory of 4500	4764	msedge.exe	94
PID 4764 wrote to memory of 4500	4764	msedge.exe	94
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95
PID 4764 wrote to memory of 3112	4764	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c69a4d5254922580b97027536e71354f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c69a4d5254922580b97027536e71354f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files (x86)\HTV\HTV.exe
  "C:\Program Files (x86)\HTV\HTV.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\HTV\qs.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95c0946f8,0x7ff95c094708,0x7ff95c094718
    3⤵
    PID:4568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,2425604099354449797,13857823987349246632,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:1924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,2425604099354449797,13857823987349246632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,2425604099354449797,13857823987349246632,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
    3⤵
    PID:3112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2425604099354449797,13857823987349246632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:3640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2425604099354449797,13857823987349246632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,2425604099354449797,13857823987349246632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:8
    3⤵
    PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,2425604099354449797,13857823987349246632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2425604099354449797,13857823987349246632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
    3⤵
    PID:3008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2425604099354449797,13857823987349246632,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
    3⤵
    PID:1932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2425604099354449797,13857823987349246632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
    3⤵
    PID:3624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2425604099354449797,13857823987349246632,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
    3⤵
    PID:2692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,2425604099354449797,13857823987349246632,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1452

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0Q3OUQxNzktNkE1MC00NzIxLUI4RDYtRUI4QUY0Qzg5OTJCfSIgdXNlcmlkPSJ7QTc2NUIwRTAtQkFGMy00OTgwLUEyMDctMUFBODlCNzlBRjdBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEJCMkNENjctMDJDMC00MTU2LUIwMjYtN0Q2NzZFMjE4MzcxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4NjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODIxNjMwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTU5NTM0NTM4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HTV\AKV.exe

Filesize
393KB

MD5
24781fcca21b8baca869cf2307d7f9f4

SHA1
148ed81fc561c9547ce4203926bf742162b177dd

SHA256
0e0aa9ae7d0ff11c8757768527ca3ae61f56d51cb645e88421d4905db14c5032

SHA512
e2769dc1194a909c9a9fc42faefc5c67c94297eded8cd95c8b4de5f1b5666ddbfd14fb5fdff0811c2840c6e318ff60b80693eaa78be3f7904887aa2122ae5b5a

Download Submit
C:\Program Files (x86)\HTV\HTV.003

Filesize
4KB

MD5
d9e02f226fc338d14df200ba9a700625

SHA1
414f134a16a309b31e418ed9e08c0c48aaf6e2bc

SHA256
8165757efb79acceb9fd0bfae6b2c19b8f087cc0461abb17941d460dbdf2e260

SHA512
13c73381602fe2593312d41ab4bc5cd5f922ac651f9e71e3fe3c58e7f0c5c73ecc9d79d61ec46f33a0a81cf73373421eeb510bd99650c0f53af30974ed61b8ca

Download Submit
C:\Program Files (x86)\HTV\HTV.004

Filesize
14KB

MD5
661aab4571bea11f40a403b154d6dba8

SHA1
731266406f6458c99bc8c1a9b3d3b7eb0d0eac6f

SHA256
580e5897b0cd5ec956020f2d482dc953b57817bc83b2dfac72574e1e33c18412

SHA512
b3cf1713f972839afded4b9760b615821d237d6fbab4b6215e5dc6aa964544f1d16ef9dc08f8d58e369cd91f56b3a6e06b15587b1ece4c680f3b2f98f6c2879d

Download Submit
C:\Program Files (x86)\HTV\HTV.006

Filesize
7KB

MD5
32dd7b4bc8b6f290b0ece3cc1c011c96

SHA1
b979683868b399c6a6204ebaed9fc9c784a0429a

SHA256
6dcce9bbba5c2de47eea3abf7597a9c4fb2e4d358efc3752fa65c169cccfa2a1

SHA512
9e0d720799fe816f7d09c8a722b762203b6f12a8625c1c93cd640219ecc35969bd641b4d9e6dc04ab6f95ceb73235a438eb7d48ee9402118db3618b5760551ea

Download Submit
C:\Program Files (x86)\HTV\HTV.007

Filesize
5KB

MD5
e8155b68775ed29590e14df80fdc0e9f

SHA1
ed449da02e648a524004c265f3c37496d2f07f1f

SHA256
b39ba894b0a9a3201461ddd9ee9b297928e793dff221a47f019e75c11df631f3

SHA512
b14e00c46cf9bed0aca0f85775f624ff064f2d2afe1fa68b61bee5729db73cf9a8eced669c52d7cbb9504ff1b369a9a16a0f36c71a70c13c0bd1eaf5e07ccc11

Download Submit
C:\Program Files (x86)\HTV\HTV.chm

Filesize
33KB

MD5
14d48e19bff3bfc93a44a4af777fa8a7

SHA1
ccb4ef17fef63576f484618ccda0764928338b22

SHA256
c485d51d0bb639d7bfdfb447337171af13cff1ad9c3e344e55395a7c17e1e1c1

SHA512
11d4e09364b4e496e93b760708f1a403c3a39016d79e801cfb78e1adcf53dfac8ac6e7187d9faa6c4baf5bc008cbc2e8c56e636d8a8fc41bd90543f78f33238d

Download Submit
C:\Program Files (x86)\HTV\HTV.exe

Filesize
471KB

MD5
3c06bbc025b61d2182ef5573f2852bda

SHA1
ebc1464c00b13fb5b3f80a59c80b595020e1fe7c

SHA256
e7f64e7215284cdeb8ef1eba28733f7aeae7f6977f82809d8de1e76a2e249085

SHA512
9d839ada211b85fc1efb1fe7bb3ce66fcf0e8069221d958234649c2ac5dc0f1bd06f1a016f9c727077af36fb46cac5409be9c8a8201d17f689c6b473aa01acdc

Download Submit
C:\Program Files (x86)\HTV\Uninstall.exe

Filesize
44KB

MD5
83cac9da65204dca68d957c5731a7059

SHA1
0291f20c8144494e9eb06b818bed447afee91f09

SHA256
9704a03d01c430189525b18b519d77337e230ccd09ca37d2ee1a25a38f5cec0f

SHA512
4be4fc5cfd21ba4affff87ca1698ba63a62a2d899538ba6034e71a2451d63f545b4e29f8fd5875e0339f97eca360b46fac85d7ca26c7e37a8ea4b3ca65457673

Download Submit
C:\Program Files (x86)\HTV\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\HTV\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\HTV\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk

Filesize
1019B

MD5
ed877ae5610e53cf219ca26744e0477e

SHA1
c7ebdc40b25fb05824c9dbf37e02ec28f009c8db

SHA256
9c5a0aab953b6d86643517e5f0a394551a95fabc627d1b13e02edd960596c357

SHA512
d2fb6cf4656c55c989a7bf7623cfb8568dc6ea418879d6b4acbce3bea45ded5a01c748ad029e697dad766fb95731997ea7f51f45f2bc37403d077e3fd5673bd2

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk

Filesize
975B

MD5
71549fa23b3d3a16a0152c7082d435ea

SHA1
3c8f7bcdff21c68638d297fa2bf636a4d15c16b1

SHA256
5d2745d7ff66d4a282cafcfe0faa49883b9e204b2a340211c782555e391165da

SHA512
bc616566784ec03f6053ae74acd5e4956b89d36d3871595edc5ba871bef6a085930237bc7c8dcd16ae1c213d72ed6cddaae49abfeb30bbc945bf5556f70d7382

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk

Filesize
1KB

MD5
415182d93112a85d46e29bef41901a52

SHA1
0194bd2f7579378f699424c6e2af1a9bc60ab6e4

SHA256
c04a6dca6c470583b7711ff932f67b7c4ec04d7b7fbceaa0f7fa0a12a4a70553

SHA512
6c0b87e0ec6fcbc00bd3eeb428bbdfcb899c77b8eb3284da051f0c9aa65f5f8070c663f481b6b499b17696303828250844b2e1f888e40885eed5171bff05c77e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff4d54b3aadb5200432594708f095e82

SHA1
c30bc1677a50697ada032b1be526b0df6952daf1

SHA256
f63398b148e870edbfe75f8a7d717a64c87b8a05f35ae577d39d157744bfc78f

SHA512
bcb34a847f9b1c2c4347008a8208def98a07bf55d6c11cf6e0b237df1e5f7f5f3a7a58c3b7d0efb1c99ca8f2fc41c6fe776a8fe205840f9f212bfcde67e3f8d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f27aebac6cf2154266da570473c0bab7

SHA1
088feed439d7d1bf0962a0d7973a00808632d9b1

SHA256
d11ca93fd8845403bb3deeb8333637cde2f52ca868dc78d3e36a3bcd10ae6e40

SHA512
e56f8e3aefbaab4e792cd989f28b9e5ba069c432a98ab039829a278cd930dd550ee2f1e9d3f45307eeb67a56eb7858d1281afdafebcaf6833ba8bf1b3d6b0753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
29d56a760374ecfa4c8adc0bd0cc0a7e

SHA1
81155bf30894d329b609d8f60f8bc5394ec71845

SHA256
8060794227a303f5bcbd88b3ddc2f64e71ebb1c4db881c872e9af6e3fec17375

SHA512
15baa3402cd11d43959903bec05a89161f406444ed9e97df5395447199c36757612adb7416d7d5a5005efcd8d0be4cc7a3d79d1a88e11e5bb6784b80c5c491b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
41fd0ab6492cb45a8952579f4b4c7af1

SHA1
8b5cac980720e1e4e73c76635ef5521022cc7239

SHA256
6e93e89cedc7a85d755c860d7e07f7ec11a307b2ae25d434a0ca7df571d94aea

SHA512
26f2f851c8b3dec886104efefabbd5872cbab8f1e5d06a41de8610432d9503f9b8a6345a29155b85d397acc40d6706f5635893a55da6e12e4b63502d7fff4793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6a6d37f25872d7bb451a78dcf1e6c4d4

SHA1
c77ae2e88a81beac770b7ceacd4df1c4aa581f01

SHA256
4362396e6770bcb1fdedb7013285668b0e508bd4a2cf014843851b8c4a33d326

SHA512
fb3fa2cfb749ea7973f3d623ebc3c7d05695ab428699aa0d76888f604989816c7132e1f291e5b04b8dd3bbc6f624cf8e4a90475897151fa540d15a6bdb9ef186

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx98D7.tmp\InstallOptions.dll

Filesize
12KB

MD5
b3ebe1cb6bdd529302c121dd4e2e0d00

SHA1
305f022e7e3ef0ae6cdc5f18bd6adc3032f64304

SHA256
5a1696f9892567b3339faf2bf4df5eb1d2d886c49807529028b65f0f493e79b2

SHA512
6f6ea4aec1588bb6f7ab4f8422942ac0acbddb8b916af2ead039b434bec6db4d0bf64deb3b8d6cc33666cabd70024a1208411ab6e0ee10bcf98c47951f8d359a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx98D7.tmp\ioSpecial.ini

Filesize
811B

MD5
156e8d9012c4e4c5e036f1e3f4587f31

SHA1
b0578af3c6b46d830c5681d6fa409d1b026c8350

SHA256
706a99503dfc9399c644ecbe9c66ec1b75b524b1e8172d99651cf54e58d61902

SHA512
2c7029a3ee67bfb1654c76da4b00228d52af1c01bceadadc6dedb22089e9d774865e6dcbc24469fbdc55cdf18f85abbd9b4f703791c903f080d226aec9661161

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx98D7.tmp\ioSpecial.ini

Filesize
736B

MD5
907aab6b8e75c65ac36b10580b2995f4

SHA1
fa1f3c64acfd94eeed44211d737512002e3db45c

SHA256
53dcbd595fe4ddc8619d56c7d273ba1a92c00284c63724d8c6a8ed51fab79df0

SHA512
4e6ff627d78422a621b5d4d5735a8442733c4f57e7b26e2017799cc2b6e4d6fc193f1b16de58a7b71d1730df363d3c84fa1751c858b66c5d33791241332db0a7

Download Submit
memory/3840-162-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3840-222-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download