ardamax | e0f41333a5d401ca7ff4f07b5272abae0e96f181d0f7176ea62d0caccbef938c

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2025 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_da3966b99a53642d23b1767a56fe5bcc.exe
Size

476KB
MD5

da3966b99a53642d23b1767a56fe5bcc
SHA1

0c978e2587789a11d32daa249725d81474975266
SHA256

e0f41333a5d401ca7ff4f07b5272abae0e96f181d0f7176ea62d0caccbef938c
SHA512

88f6fb33feaac85503ae9697061d87fdf8841f559138826c33cd9e304c534ab2967eb4d4f03de78e9180a3d83df98004393d459ff102011a91e661b75f836532
SSDEEP

6144:fsehzRFBKcKbRjt9v7Vc8etHx0bdhITezYv2QaCJBA5Xpot6VfcoOvncCFjoxkPx:frMTRz+RidaaKbBEoUVSvVDyz0dDrbx

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0010000000023b68-193.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	update.exe

Executes dropped EXE 3 IoCs

pid	Process
2732	update.exe
552	setup_akl.exe
3260	HTV.exe

Loads dropped DLL 4 IoCs

pid	Process
552	setup_akl.exe
3260	HTV.exe
552	setup_akl.exe
552	setup_akl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_da3966b99a53642d23b1767a56fe5bcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HTV Agent = "C:\\Program Files (x86)\\HTV\\HTV.exe"	HTV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HTV\HTV.001	HTV.exe
File opened for modification	C:\Program Files (x86)\HTV	HTV.exe
File created	C:\Program Files (x86)\HTV\HTV.007	setup_akl.exe
File created	C:\Program Files (x86)\HTV\menu.gif	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.003	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.004	setup_akl.exe
File created	C:\Program Files (x86)\HTV\AKV.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\qs.html	setup_akl.exe
File created	C:\Program Files (x86)\HTV\tray.gif	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.chm	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.006	setup_akl.exe
File created	C:\Program Files (x86)\HTV\Uninstall.exe	setup_akl.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_da3966b99a53642d23b1767a56fe5bcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTV.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0009000000023c9e-41.dat	nsis_installer_1
behavioral2/files/0x0009000000023baf-203.dat	nsis_installer_1

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3900	msedge.exe
3900	msedge.exe
2924	msedge.exe
2924	msedge.exe
2100	identity_helper.exe
2100	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3260	HTV.exe
Token: SeIncBasePriorityPrivilege	3260	HTV.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3260	HTV.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3260	HTV.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3260	HTV.exe
3260	HTV.exe
3260	HTV.exe
3260	HTV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 2732	3920	JaffaCakes118_da3966b99a53642d23b1767a56fe5bcc.exe	84
PID 3920 wrote to memory of 2732	3920	JaffaCakes118_da3966b99a53642d23b1767a56fe5bcc.exe	84
PID 3920 wrote to memory of 2732	3920	JaffaCakes118_da3966b99a53642d23b1767a56fe5bcc.exe	84
PID 3920 wrote to memory of 552	3920	JaffaCakes118_da3966b99a53642d23b1767a56fe5bcc.exe	93
PID 3920 wrote to memory of 552	3920	JaffaCakes118_da3966b99a53642d23b1767a56fe5bcc.exe	93
PID 3920 wrote to memory of 552	3920	JaffaCakes118_da3966b99a53642d23b1767a56fe5bcc.exe	93
PID 552 wrote to memory of 3260	552	setup_akl.exe	101
PID 552 wrote to memory of 3260	552	setup_akl.exe	101
PID 552 wrote to memory of 3260	552	setup_akl.exe	101
PID 552 wrote to memory of 2924	552	setup_akl.exe	102
PID 552 wrote to memory of 2924	552	setup_akl.exe	102
PID 2924 wrote to memory of 2564	2924	msedge.exe	103
PID 2924 wrote to memory of 2564	2924	msedge.exe	103
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3016	2924	msedge.exe	104
PID 2924 wrote to memory of 3900	2924	msedge.exe	105
PID 2924 wrote to memory of 3900	2924	msedge.exe	105
PID 2924 wrote to memory of 900	2924	msedge.exe	106
PID 2924 wrote to memory of 900	2924	msedge.exe	106
PID 2924 wrote to memory of 900	2924	msedge.exe	106
PID 2924 wrote to memory of 900	2924	msedge.exe	106
PID 2924 wrote to memory of 900	2924	msedge.exe	106
PID 2924 wrote to memory of 900	2924	msedge.exe	106
PID 2924 wrote to memory of 900	2924	msedge.exe	106
PID 2924 wrote to memory of 900	2924	msedge.exe	106
PID 2924 wrote to memory of 900	2924	msedge.exe	106

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_da3966b99a53642d23b1767a56fe5bcc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_da3966b99a53642d23b1767a56fe5bcc.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_akl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_akl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Program Files (x86)\HTV\HTV.exe
    "C:\Program Files (x86)\HTV\HTV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\HTV\qs.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92eab46f8,0x7ff92eab4708,0x7ff92eab4718
      4⤵
      PID:2564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17130382780484025174,3579102578199408004,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      PID:3016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17130382780484025174,3579102578199408004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17130382780484025174,3579102578199408004,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
      4⤵
      PID:900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17130382780484025174,3579102578199408004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:4080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17130382780484025174,3579102578199408004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
      4⤵
      PID:2360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17130382780484025174,3579102578199408004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
      4⤵
      PID:2644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17130382780484025174,3579102578199408004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17130382780484025174,3579102578199408004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:1
      4⤵
      PID:4832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17130382780484025174,3579102578199408004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
      4⤵
      PID:916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17130382780484025174,3579102578199408004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:3120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17130382780484025174,3579102578199408004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
      4⤵
      PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HTV\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Program Files (x86)\HTV\HTV.003

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
C:\Program Files (x86)\HTV\HTV.004

Filesize
14KB

MD5
bda4860df26a5882b42b6b861376199d

SHA1
8437ec07c9bc3001756ae0cb214b99e1e8a53fdb

SHA256
9ed69f6ee86a7fca1f3ef7801d08b38d9e82ab649e6169e894e48ce85b43dc30

SHA512
484f45aaacdb4be03752df49c337c7596d539ee0442412083fcfeea78e1c485caf1fbb25cf8a749611358e3a895232f8d0c61c91545d98a3f2a3e1aa504859c6

Download Submit
C:\Program Files (x86)\HTV\HTV.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Program Files (x86)\HTV\HTV.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Program Files (x86)\HTV\HTV.chm

Filesize
33KB

MD5
0195038e7af8da97742eb0188204c3bf

SHA1
b8c089c701ab283fa5aa921270b317c07cbee2c7

SHA256
fc14326e0719e0a59ba8fbb6763f2cc41b47d59ef177c90dc3535cd3a38720b9

SHA512
938c3a59895d861eb67a56f365fd387b122d42ff7bb52e5014faa738150d1eed2cd4a52b231ff70f1184fd7e3f0eb991096813b9933e574a7b4383f768384b04

Download Submit
C:\Program Files (x86)\HTV\HTV.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
C:\Program Files (x86)\HTV\Uninstall.exe

Filesize
43KB

MD5
916ced19a86ac3006f26ea60719dd648

SHA1
68278a4c3d5202fff273844d8e4b488fc1daddcd

SHA256
3dc70f9fc553517666be9008ebcfab2b044ff711036d49e40144e0dd97910734

SHA512
9c08cbca52a17f810f3892d66a72ff37c3af5a60ebe34f56e3937c933e265ae0e4207410f7778434cb203a76e36dc62df09a08f3b3f4338d35b44d5c5bc8bb28

Download Submit
C:\Program Files (x86)\HTV\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\HTV\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\HTV\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk

Filesize
1019B

MD5
c8614eedd852c7884ce3dccab8e3ef20

SHA1
40557cd22b965c2062e52e4689e386147c1151e2

SHA256
9bf652ba967933a3bd9714e1c03a6963d5a89ce5c49290a0c43b61cae224a7f7

SHA512
1569c70b5939ca393724c921ae60851a903b05dff0a2122ee51e6234cbd48d16f683f3934bf34af8f2143722b05baa63d83fd7fc388f06803d716037c665ac4c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk

Filesize
975B

MD5
08c14f8db10264be4e6a2ebcc0c47304

SHA1
da04354767aa80dd3740eb3b416ec3fc2069c649

SHA256
6d62e903c500ae1607a336bd2b4102a7fc4eae60f4fec4361be4c1b08a66da14

SHA512
a239f4f627edbbd1bc8dec43d40dab23c4cb4c9d20d263308a93780d594c4b55cca76dbaa2c0ce89593b7689374b2d65d8b417f294d6ce1ccfde129328af9966

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk

Filesize
1KB

MD5
10c128a503041900ef9cfc79986b358b

SHA1
777484b163d9d484fff2440a1000eaa8096edec8

SHA256
64cb83226a90cd6746c10d2715a2849d59bdceb0e66daea2efb9aa5b392ab806

SHA512
67b25819a0d97cbf8826fc2a68bd75af82e172d876f59c7f5703888f7f83c6dd0e675a1919612571077122ee4530b86f72b038312f344c8d4f95f301e7b90dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
709e5bc1c62a5aa20abcf92d1a3ae51c

SHA1
71c8b6688cd83f8ba088d3d44d851c19ee9ccff6

SHA256
aa718e97104d2a4c68a9dad4aae806a22060702177f836403094f7ca7f0f8d4e

SHA512
b9fc809fbb95b29336e5102382295d71235b0e3a54828b40380958a7feaf27c6407461765680e1f61d88e2692e912f8ec677a66ff965854bea6afae69d99cf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bc29044ff79dd25458f32c381dc676af

SHA1
f4657c0bee9b865607ec3686b8d4f5d4c2c61cd7

SHA256
efe711204437661603d6e59765aba1654678f2093075c1eb2340dc5e80a1140f

SHA512
3d484f755d88c0485195b247230edb79c07cc0941dedbf2f34738ae4f80ba90595f5094c449b213c0c871ade6aff0a14d4acfe843186e2421ccbad221d34bf54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3f6943ab3839237cc5035ca05a8f824d

SHA1
587c1bba9db259c88a80126bbd61d1672e8fbedb

SHA256
2722c1b0348a0e4fe3d11c3394c9c0d39d74795c37fc49502afce1323564c5cb

SHA512
f60b90a46392d3c3d9da333219ef2b76c4573a1fde798a92aa4354e7d338ee9c0e29e38755fc8cee13099a1bf06ef0514b72ac4da44d2932c8078e4770d0242b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3988c2cbbcb70cc6586813c1c56cff0c

SHA1
ef843a79104681139813a21257ab64805a3a0ef8

SHA256
0fd4c5a1e83c776b4032f87260f905f25658e306e3065e5173659f1d3ca721fe

SHA512
1f367fd90d6edd7caad599868542efaed7f855240fb11bd7dda7481125b98d5f1234591c5fc686fdaed8fd13dba3bb6b17d66c866a334aff2e6feb2b3d17095a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
af2a7f6092045adc7628271b04ffbddf

SHA1
9f8c5a6e6e5fb610438ece8256c76c3cb0131ed5

SHA256
cd5abb06265564baf0b5ec5fcae1c430e07f544872b7bb0f703bd96c3201ae6a

SHA512
6afb4201a6a400ba3bd9a0736b5e9e113bfb7a4345a6a8e211abb1856bd727c95980045d1b801d132511610ad3f880928df5e6744a46f9e7dc389bbf89e74d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\runUpdate.exe

Filesize
1KB

MD5
8150f458ed6fb9b1db4e5cfa57a1a281

SHA1
6e5726854d28687b560d7fdcb5c782c425c7dfb9

SHA256
4c13d452dd5d49671bd93ca32f2b4f85c78e39b6ab0ad1f38d98ed267f8fd896

SHA512
4cc6a112673aef8bb8bb8a385c26791b805d43bb707b509880e894f1c83bab4e16f13de187036c5f660c3bec1d286258396b7bde65c5d7945c5019665196818c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_akl.exe

Filesize
418KB

MD5
f6699e0d27e915996f33ddf617c9bf6c

SHA1
74d69a9449331b90e46ae01577b4714b1a35391a

SHA256
e2dc1886ca386f8717079b28cd52c1843de737ee24f2e521972730b9a6503c1f

SHA512
104451a409acf12db353259e86b00e40b079e657f2c456a9f339977cd0a972dc23af16d2f85da12b6728294560b3cf13afe380dafe1a87ba62c81ff72b127c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe

Filesize
21KB

MD5
aa8a3b7e4d6ad2c666f848ff74a18f3b

SHA1
f0555675ab5af32a8c4c177afcb0b1e54ffd871c

SHA256
11d8aaac704cfaf1cd8cb4120afc4dd05738e9cccf65fd3be726ca9cfc4ec5c7

SHA512
ca6893513548aed5bdf7c73a89c7aa4473e34e70ad15fc4988010e557884f05e02eba2314f5bc95520b225c878a1f794aa5f60c24b28c15ceabfde5f20d60fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg54C4.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg54C4.tmp\ioSpecial.ini

Filesize
794B

MD5
8111cdb0ea77a54c9235a4a5f4d34a0d

SHA1
a33f1118538dc8dbf626ac5e3ed38f2eedd70313

SHA256
33f1c2e957e6ab83b41af5d398e757e795c49415a1c1c6b72a6630b02b22a801

SHA512
0f8c2dfc3790517f1bdb1eaf78ef94a470a6486e0d8da6f3497c797946f2eb82f883dfa8be283e25c662f4e043fa93d2b25ab61e0f9647d764623afd72dd0445

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg54C4.tmp\ioSpecial.ini

Filesize
719B

MD5
7c4bc9a6f09cfab0f0f0f974d3d5393e

SHA1
7a8d6e53af0385659a13d22d6fed08a2afb2f77f

SHA256
9f592fd47960aac33c3c6dc83116abd39e6451a87de477d105d26ec39a807d47

SHA512
5e5903cca43dc0c82781e4324395752907f90c24587c6475bf94fc5987ba9008041f72fab0474097d17b91189a5923cb76c8013dd3bad19f4e63ceb2d974bcb6

Download Submit
memory/2732-7-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download