Keylogger.Ardamax

By CagedTech in Keyloggers

Threat Scorecard

Popularity Rank:	14,634
Threat Level:	80 % (High)
Infected Computers:	10,303

First Seen:	July 24, 2009
Last Seen:	December 24, 2025
OS(es) Affected:	Windows

Table of Contents

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor	Detection
Fortinet	W32/Gbot.YRA!tr.bdr
AntiVir	SPR/Tool.Ardamax.556
Kaspersky	Backdoor.Win32.Gbot.yra
McAfee	Artemis!647F311B4718
AVG	Ardamax.BUD
BitDefender	MemScan:Trojan.Generic.8306227
Avast	Win32:Ardamax-PU [PUP]
McAfee	Artemis!3DEBCBACE7A0
AVG	Ardamax.BWQ
McAfee	Artemis!D7BB86DA5866
Avast	Win32:Ardamax-QG [PUP]
AntiVir	SPR/Tool.Monitor.Gen
Avast	Win32:Ardamax-QI [PUP]
McAfee	Artemis!2BE9E4E80820
Panda	Generic Trojan

File System Details

Keylogger.Ardamax may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	CSJ.exe	29a6ac921bfd693769a7f7e255dc2e77	37
Name: CSJ.exe MD5: 29a6ac921bfd693769a7f7e255dc2e77 Size: 1.8 MB (1801728 bytes) Detections: 37 Type: Executable File Path: %PROGRAMFILES%\CSJ Group: Malware file Last Updated: July 26, 2012
2.	DFC.exe	b37aad7a36fbbb2d2054e082d590a76c	11
Name: DFC.exe MD5: b37aad7a36fbbb2d2054e082d590a76c Size: 1.81 MB (1819648 bytes) Detections: 11 Type: Executable File Path: %PROGRAMFILES(x86)%\Ardamax Group: Malware file Last Updated: April 3, 2020
3.	AKV.exe	b8fa30233794772b8b76b4b1d91c7321	8
Name: AKV.exe MD5: b8fa30233794772b8b76b4b1d91c7321 Size: 404.48 KB (404480 bytes) Detections: 8 Type: Executable File Path: C:\Windows\SysWOW64\28463\AKV.exe Group: Malware file Last Updated: December 1, 2022
4.	LYA.exe	3cd29c0df98a7aeb69a9692843ca3edb	7
Name: LYA.exe MD5: 3cd29c0df98a7aeb69a9692843ca3edb Size: 1.74 MB (1747968 bytes) Detections: 7 Type: Executable File Path: C:\WINDOWS\SysWOW64\FXVDEA\LYA.exe Group: Malware file Last Updated: March 3, 2023
5.	ETK.exe	56dce36cac37d632bf722e9804e4965e	4
Name: ETK.exe MD5: 56dce36cac37d632bf722e9804e4965e Size: 1.83 MB (1838080 bytes) Detections: 4 Type: Executable File Path: %PROGRAMFILES(x86)%\ETK Group: Malware file Last Updated: October 17, 2012
6.	BCR.exe	b910f5d24e399a13f6aae20535ac05b4	4
Name: BCR.exe MD5: b910f5d24e399a13f6aae20535ac05b4 Size: 1.82 MB (1829888 bytes) Detections: 4 Type: Executable File Path: C:\Windows\SysWOW64\WLGGBN\BCR.exe Group: Malware file Last Updated: August 14, 2022
7.	setup_akl64 (password=ardamax).exe	e3d267c02ec24bd475e394551cca6ad0	4
Name: setup_akl64 (password=ardamax).exe MD5: e3d267c02ec24bd475e394551cca6ad0 Size: 2.13 MB (2139332 bytes) Detections: 4 Type: Executable File Path: C:\Users\<username>\AppData\Roaming\setup_akl64 (password=ardamax).exe Group: Malware file Last Updated: October 15, 2021
8.	MAI.exe	e40fa583acd317b71575596bd8bc10b8	3
Name: MAI.exe MD5: e40fa583acd317b71575596bd8bc10b8 Size: 1.83 MB (1830400 bytes) Detections: 3 Type: Executable File Path: %PROGRAMFILES(x86)%\MAI Group: Malware file Last Updated: August 27, 2012
9.	MSQ.exe	f22340c8c0caad1136de9bec84c82281	3
Name: MSQ.exe MD5: f22340c8c0caad1136de9bec84c82281 Size: 1.82 MB (1829888 bytes) Detections: 3 Type: Executable File Path: %USERPROFILE%\Desktop\ketlog\MSQ Group: Malware file Last Updated: August 11, 2020
10.	ELU.exe	785197d7f66a482b64c5ae297016d24e	3
Name: ELU.exe MD5: 785197d7f66a482b64c5ae297016d24e Size: 1.83 MB (1830400 bytes) Detections: 3 Type: Executable File Path: %WINDIR%\system32\NWXJWM Group: Malware file Last Updated: October 30, 2012
11.	POL.exe	8459b0ba642d016c60571a3ad31e6ec8	3
Name: POL.exe MD5: 8459b0ba642d016c60571a3ad31e6ec8 Size: 616.96 KB (616960 bytes) Detections: 3 Type: Executable File Path: %PROGRAMFILES(x86)%\POL Group: Malware file Last Updated: November 21, 2019
12.	setup_akl (password=ardamax).exe	725f36560115d2a096df3e499d6ba449	3
Name: setup_akl (password=ardamax).exe MD5: 725f36560115d2a096df3e499d6ba449 Size: 1.82 MB (1825918 bytes) Detections: 3 Type: Executable File Path: f:\pendrive blanca Group: Malware file Last Updated: October 15, 2021
13.	cssrs.exe	f1f1381529361201f120057295f3703d	2
Name: cssrs.exe MD5: f1f1381529361201f120057295f3703d Size: 220.16 KB (220160 bytes) Detections: 2 Type: Executable File Path: %WINDIR%\system32 Group: Malware file Last Updated: July 11, 2011
14.	TND.exe	a6c12264242dba831b32523a07688d4a	2
Name: TND.exe MD5: a6c12264242dba831b32523a07688d4a Size: 470.52 KB (470528 bytes) Detections: 2 Type: Executable File Path: %WINDIR%\system32\Sys Group: Malware file Last Updated: March 29, 2013
15.	QHI.exe	d5918580ed2951ab6b1a5a94719757ff	2
Name: QHI.exe MD5: d5918580ed2951ab6b1a5a94719757ff Size: 1.83 MB (1830400 bytes) Detections: 2 Type: Executable File Path: %WINDIR%\SysWOW64\YAINGK Group: Malware file Last Updated: March 29, 2013
16.	FYB.exe	14f067c0291ce6a4a4c4735ba7f4712d	2
Name: FYB.exe MD5: 14f067c0291ce6a4a4c4735ba7f4712d Size: 1.79 MB (1794560 bytes) Detections: 2 Type: Executable File Path: %ALLUSERSPROFILE%\FYB Group: Malware file Last Updated: March 4, 2013
17.	WDI.exe	ed53cef3e425639f180392ccf031f9ce	2
Name: WDI.exe MD5: ed53cef3e425639f180392ccf031f9ce Size: 1.83 MB (1830400 bytes) Detections: 2 Type: Executable File Path: %ALLUSERSPROFILE%\WDI Group: Malware file Last Updated: October 9, 2012
18.	NGK.exe	0aaffc12ef1b416b9276bdc3fdec9dff	2
Name: NGK.exe MD5: 0aaffc12ef1b416b9276bdc3fdec9dff Size: 1.54 MB (1544192 bytes) Detections: 2 Type: Executable File Path: %WINDIR%\SysWOW64\LJXVCN Group: Malware file Last Updated: February 11, 2013
19.	HWF.exe	647f311b471810298c1d0b3b43966d8c	2
Name: HWF.exe MD5: 647f311b471810298c1d0b3b43966d8c Size: 1.82 MB (1829888 bytes) Detections: 2 Type: Executable File Path: %WINDIR%\SysWOW64\ACDYGC Group: Malware file Last Updated: May 13, 2013
20.	UIB.exe	47d45da7bc718cef809ecec470987248	1
Name: UIB.exe MD5: 47d45da7bc718cef809ecec470987248 Size: 292.86 KB (292864 bytes) Detections: 1 Type: Executable File Path: %WINDIR%\system32 Group: Malware file Last Updated: February 7, 2011
21.	YHF.exe	ff5d248fc602b8d6fb11a7aa8cf27391	1
Name: YHF.exe MD5: ff5d248fc602b8d6fb11a7aa8cf27391 Size: 280.57 KB (280576 bytes) Detections: 1 Type: Executable File Path: %PROGRAMFILES%\YHF Group: Malware file Last Updated: November 1, 2011
22.	YEY.exe	53522c8c3b01191caae1e1e2692c42de	1
Name: YEY.exe MD5: 53522c8c3b01191caae1e1e2692c42de Size: 1.79 MB (1793024 bytes) Detections: 1 Type: Executable File Path: %PROGRAMFILES%\YEY Group: Malware file Last Updated: January 8, 2013
23.	YHH.exe	7f9e58f1df8721ed17066d08a769c73a	1
Name: YHH.exe MD5: 7f9e58f1df8721ed17066d08a769c73a Size: 1.82 MB (1829888 bytes) Detections: 1 Type: Executable File Path: %WINDIR%\SysWOW64\OWSNDV Group: Malware file Last Updated: November 2, 2012
24.	JTF.exe	ce6e2998fc31ef25e3771cd7be4f4e75	1
Name: JTF.exe MD5: ce6e2998fc31ef25e3771cd7be4f4e75 Size: 1.53 MB (1531904 bytes) Detections: 1 Type: Executable File Path: %PROGRAMFILES%\JTF Group: Malware file Last Updated: March 12, 2013
25.	VXJQ.exe	346114aaad81ab66017869909fe59a6d	0
Name: VXJQ.exe MD5: 346114aaad81ab66017869909fe59a6d Size: 483.84 KB (483840 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: December 11, 2009
26.	svchost.exe	9b1569de016fbd9ae313976cf81f6839	0
Name: svchost.exe MD5: 9b1569de016fbd9ae313976cf81f6839 Size: 525.31 KB (525312 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: December 11, 2009

More files

Registry Details

Keylogger.Ardamax may create the following registry entry or registry entries:

File name without path

setup (password=ardamax).exe

Regexp file mask

%APPDATA%\support\svchost.exe

HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}

Ardamax Keylogger

Directories

Keylogger.Ardamax may create the following directory or directories:

%ALLUSERSPROFILE%\auk

%ALLUSERSPROFILE%\cve

%WINDIR%\Syswow64\sys32

%WINDIR%\system32\sys32

Analysis Report

General information

Family Name:	Keylogger.Ardamax
Signature status:	No Signature

Known Samples

MD5: fd95ced96288d0c2d22d8044ab7f117d

SHA1: f2669903baeed765a23010f231141cfe4b94749c

SHA256: AB11EED347EDCD561D6EB09AD49849BB2468FB0A67A6E437286029C10DFBCC0E

File Size: 1.63 MB, 1625900 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed

IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Files Modified

File	Attributes
c:\users\user\appdata\local\temp\nst3ed1.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nst3ed1.tmp\callansiplugin.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst3ed1.tmp\callansiplugin.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nst3ed1.tmp\dcryptdll.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst3ed1.tmp\dcryptdll.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nst3ed1.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst3ed1.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nst3ed1.tmp\uac.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst3ed1.tmp\uac.dll	Synchronize,Write Attributes

Registry Modifications

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix	Cookie:	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix	Visited:	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e41\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::failed_count		RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state		RegNtPreCreateKey

HKCU\software\microsoft\edge\thirdparty::statuscodes	(NULL)	RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes		RegNtPreCreateKey
HKCU\software\microsoft\edge\elfbeacon::version	143.0.3650.96	RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::failed_count		RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state		RegNtPreCreateKey

Windows API Usage

Category	API
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory
Process Shell Execute	CreateProcess ShellExecute
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtClose ntdll.dll!NtCreateFile ntdll.dll!NtCreateMutant ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtDeleteValueKey Show More ntdll.dll!NtDuplicateToken ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtReadRequestData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetValueKey ntdll.dll!NtTestAlert ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWriteFile UNKNOWN

Shell Command Execution


							open http://www.ardamax.com/keylogger/


							"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.ardamax.com/keylogger/

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Keylogger.Ardamax

Threat Scorecard

EnigmaSoft Threat Scorecard

Aliases

File System Details

Registry Details

Directories

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Related Posts

Keylogger.Ardamax.F

Keylogger.Ardamax.AC

Keylogger.Ardamax.C

Trending

Bingo Master Ads

cPanel Account Suspension Email Scam

Standard Bank Account Statement Scam

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen

Discord Is Stuck on Gray Screen