ardamax | e0f41333a5d401ca7ff4f07b5272abae0e96f181d0f7176ea62d0caccbef938c

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2025 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_akl.exe
Size

418KB
MD5

f6699e0d27e915996f33ddf617c9bf6c
SHA1

74d69a9449331b90e46ae01577b4714b1a35391a
SHA256

e2dc1886ca386f8717079b28cd52c1843de737ee24f2e521972730b9a6503c1f
SHA512

104451a409acf12db353259e86b00e40b079e657f2c456a9f339977cd0a972dc23af16d2f85da12b6728294560b3cf13afe380dafe1a87ba62c81ff72b127c54
SSDEEP

12288:XDKLYe6zUbRrda8Kb9zoNVSbVhyzCe1PXcZgE:TKLuGJa8Kb9q+XI51PMZgE

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral4/files/0x0008000000023e30-149.dat	family_ardamax

Downloads MZ/PE file 1 IoCs

flow	pid	Process
43	4624	Process not Found

Executes dropped EXE 1 IoCs

pid	Process
3092	HTV.exe

Loads dropped DLL 3 IoCs

pid	Process
1480	setup_akl.exe
3092	HTV.exe
1480	setup_akl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HTV Agent = "C:\\Program Files (x86)\\HTV\\HTV.exe"	HTV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HTV\HTV.003	setup_akl.exe
File created	C:\Program Files (x86)\HTV\AKV.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\qs.html	setup_akl.exe
File created	C:\Program Files (x86)\HTV\tray.gif	setup_akl.exe
File created	C:\Program Files (x86)\HTV\Uninstall.exe	setup_akl.exe
File opened for modification	C:\Program Files (x86)\HTV	HTV.exe
File created	C:\Program Files (x86)\HTV\HTV.006	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.007	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.004	setup_akl.exe
File created	C:\Program Files (x86)\HTV\menu.gif	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.chm	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.001	HTV.exe
File created	C:\Program Files (x86)\HTV\HTV.exe	setup_akl.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTV.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3560	MicrosoftEdgeUpdate.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral4/files/0x0007000000023e3f-160.dat	nsis_installer_1

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
764	msedge.exe
764	msedge.exe
2160	msedge.exe
2160	msedge.exe
1968	identity_helper.exe
1968	identity_helper.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3092	HTV.exe
Token: SeIncBasePriorityPrivilege	3092	HTV.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3092	HTV.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3092	HTV.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3092	HTV.exe
3092	HTV.exe
3092	HTV.exe
3092	HTV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3092	1480	setup_akl.exe	92
PID 1480 wrote to memory of 3092	1480	setup_akl.exe	92
PID 1480 wrote to memory of 3092	1480	setup_akl.exe	92
PID 1480 wrote to memory of 2160	1480	setup_akl.exe	93
PID 1480 wrote to memory of 2160	1480	setup_akl.exe	93
PID 2160 wrote to memory of 3616	2160	msedge.exe	94
PID 2160 wrote to memory of 3616	2160	msedge.exe	94
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 4028	2160	msedge.exe	95
PID 2160 wrote to memory of 764	2160	msedge.exe	96
PID 2160 wrote to memory of 764	2160	msedge.exe	96
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97
PID 2160 wrote to memory of 4296	2160	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
"C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Program Files (x86)\HTV\HTV.exe
  "C:\Program Files (x86)\HTV\HTV.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\HTV\qs.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7f7046f8,0x7ffc7f704708,0x7ffc7f704718
    3⤵
    PID:3616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,759533688206894968,14534136835034583183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:4028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,759533688206894968,14534136835034583183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,759533688206894968,14534136835034583183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
    3⤵
    PID:4296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,759533688206894968,14534136835034583183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:1360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,759533688206894968,14534136835034583183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:2612
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,759533688206894968,14534136835034583183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 /prefetch:8
    3⤵
    PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,759533688206894968,14534136835034583183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,759533688206894968,14534136835034583183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
    3⤵
    PID:4068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,759533688206894968,14534136835034583183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
    3⤵
    PID:4976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,759533688206894968,14534136835034583183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
    3⤵
    PID:3236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,759533688206894968,14534136835034583183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
    3⤵
    PID:392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,759533688206894968,14534136835034583183,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2620 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3100

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjE0MUE4REUtM0VFMC00MjhFLUJBRjMtNjAxMjcwNzIyOERFfSIgdXNlcmlkPSJ7MkQ4RkJENEUtRkU5NC00RDdBLTlDQTgtNjgyQ0Q5MkQ1Qjc1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjgyRkQ4NjUtMUU1Ny00Mzk2LUE2MjUtNjg5MTQ1QUE0OTIwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ0OTciIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNjkzODEzMjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDg2NzAwMzU5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HTV\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Program Files (x86)\HTV\HTV.003

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
C:\Program Files (x86)\HTV\HTV.004

Filesize
14KB

MD5
bda4860df26a5882b42b6b861376199d

SHA1
8437ec07c9bc3001756ae0cb214b99e1e8a53fdb

SHA256
9ed69f6ee86a7fca1f3ef7801d08b38d9e82ab649e6169e894e48ce85b43dc30

SHA512
484f45aaacdb4be03752df49c337c7596d539ee0442412083fcfeea78e1c485caf1fbb25cf8a749611358e3a895232f8d0c61c91545d98a3f2a3e1aa504859c6

Download Submit
C:\Program Files (x86)\HTV\HTV.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Program Files (x86)\HTV\HTV.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Program Files (x86)\HTV\HTV.chm

Filesize
33KB

MD5
0195038e7af8da97742eb0188204c3bf

SHA1
b8c089c701ab283fa5aa921270b317c07cbee2c7

SHA256
fc14326e0719e0a59ba8fbb6763f2cc41b47d59ef177c90dc3535cd3a38720b9

SHA512
938c3a59895d861eb67a56f365fd387b122d42ff7bb52e5014faa738150d1eed2cd4a52b231ff70f1184fd7e3f0eb991096813b9933e574a7b4383f768384b04

Download Submit
C:\Program Files (x86)\HTV\HTV.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
C:\Program Files (x86)\HTV\Uninstall.exe

Filesize
43KB

MD5
916ced19a86ac3006f26ea60719dd648

SHA1
68278a4c3d5202fff273844d8e4b488fc1daddcd

SHA256
3dc70f9fc553517666be9008ebcfab2b044ff711036d49e40144e0dd97910734

SHA512
9c08cbca52a17f810f3892d66a72ff37c3af5a60ebe34f56e3937c933e265ae0e4207410f7778434cb203a76e36dc62df09a08f3b3f4338d35b44d5c5bc8bb28

Download Submit
C:\Program Files (x86)\HTV\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\HTV\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\HTV\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk

Filesize
1019B

MD5
09ebe50593ed0de65fffba2ee00aa438

SHA1
bf2cbfac7696a68d84cdde507ee36cc96ca98123

SHA256
470748c38446b82862d6f9e5e1ede54624c3fc5a79853d2fe8e433de452a36a2

SHA512
022da7da6c3ac2dc78a4218e4e2bce49da651c79ccbceee7bbf3af826779c9ef836eefdbc4c05c98d70a05405fa4c796699b0cc153d37bfc2869bd09dd15fd52

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk

Filesize
975B

MD5
93151b617b030bcf39514a2e76b2a6c1

SHA1
b22760a13c01e1c382cbeac859dc8f93b86b3fce

SHA256
ae421ccf1b17c9e5495f1be787272ed2bc228973bfe194dade87f72b548ef228

SHA512
97cab7a526bcc92e6dced50ac036a030c93501fffaaf22487f1280073cf5deecf342eafda0a2a87515d9f16c7d6bc1c016a307ea647ec0ac3c1107905c74552a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk

Filesize
1KB

MD5
a9a66deee4dddf16f07d51994fc45f55

SHA1
04d5a5f7c28f2ece683b01e11143006d473ce7f5

SHA256
54278e6eb0845c12130fe3d8867a7eb9c60376bfd83a31ff7f7e8b91d5ded225

SHA512
4fb002dd62fcee12836fe38709d8816919650caab6877eac107215337969de31fa94584fc6af4d3c6c507da784b3707536606d2098a1580680c9fb355b23cc28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc7e2abfae997eac3dd58ba7132b3a2a

SHA1
ed7e80b26252b600acc6d89b985f4235b0fb03fb

SHA256
be084d16cf52949ceb38b98ebc8761cd5bf1a6ac9e8c247efc12bb669f5f023a

SHA512
a504e52646c4be5ee0f0d979b0d7a539228ab638394c658d1a88eff86f6db4091146b176484388afa6967a296af7ea97b4d2678577ea85f83d721ef2fe63f928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aa50e46aef7f210bf65d44c570031714

SHA1
41993bb24a2c4cffdb5ea9bd4eeb825bf6b6fa79

SHA256
857a7702a47be49f185619891e5c74e34b4bb2515279033f3b5a0a9be2da839d

SHA512
dd5a1e88b2000957e3ddf057329a24dbbfc5408857cd1432799f20c21b967b627627bf1a3caa23e9698bb8133b7033d925487bcf46d864186a707176f8969029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e87d5bde86f068a807b6456bbc1631d9

SHA1
44a73931269eb1e4ec80098b01182cfe1a47619a

SHA256
368617f0b81bfad70a003c7374e3b01aa3d6dafafea9614ed4fa1b106b94df12

SHA512
34c025979a1013863e40ed06942d5d71e779ab14a19877f42ba4b510fe834cee50063dba3de06fe2de8906ca53c4aad45dfec7c7cf75b2a9453a5c0a2b91e951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2aa8d2cdd1c25404c7b12283fcd34c80

SHA1
5bb712c73979a37515e0f3d6517014c91b56c3ec

SHA256
8d02042309c614bde52c00ddee3e00f877bd3e194b59f37a3114ddad06b735fc

SHA512
09c6fe798ae75223a4ed80d81bd448078a69ecca51948f8c183aef66225591811a1de170bb940ad5c2188ff42d6f1b12a8509b3409f45683b094610e7353a294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d017d9e8e00e0eb75c0ea2d63bcbbe57

SHA1
7275ec0a22d0a8f85c8ca46e24fa9406cd877989

SHA256
2cf92cf83ad2af585dc7420d0543a8930c5dc8f05d58c6c2502611d76617dab0

SHA512
fdd1c2f9c8a9813fd2e45ed73507199e937a03d3bbc4acc0f1902d3a3388bc9b05d931f157d7b096452e72a8c8db5898d0f0c3d41cacaf33493f761cef0bd630

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBC6C.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBC6C.tmp\ioSpecial.ini

Filesize
794B

MD5
a06ef77364db017075350d6d8210ddb7

SHA1
fe800c5967df5ab0eb730b5928c76b61aec74774

SHA256
693b22a53864ad3576e6dce8a92dc0360f51b81530a32d702719db8fff23f8f4

SHA512
85f73ef92c7ffb6f2ea77fe42f9f102452aced360d31ea9146a60525d1a391d68bffa5374414fd800a483cf8051927ae93f5da82775a1548ac5bf913d6fee020

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBC6C.tmp\ioSpecial.ini

Filesize
719B

MD5
51504de2b8496a59012a401d93d4542b

SHA1
d41a0fe159b1078e893799e40090b0c8fce3588f

SHA256
c3b6b6cf1a678a0b337cb15f48fe7f0f3ef06244d932cdb3a0f40de4e9f262e6

SHA512
83cc73350d16aa494ccec8590dcdb2f3348bfa4e0598ce34f809d4b8d822630a2a07fb2df45b3109c8ace8d4d9c89701f20976253ede4dcbc7c6041358eea5f8

Download Submit
memory/3092-162-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3092-231-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download