ardamax | 5e33b40c87958c4419cdbfbada2139df35c4cd74fbdcf8f66ee5ec40790429a0

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
Size

702KB
MD5

abe12539eb925c14706dcdd910b213c2
SHA1

80e045beff01ca43ee33aeed6e9cd8332bafeea5
SHA256

5e33b40c87958c4419cdbfbada2139df35c4cd74fbdcf8f66ee5ec40790429a0
SHA512

b70199e7b3b128005802bf4cfb50b005bd539f3d8694d18fa1d2c455be9a7fae96e9f77e228aa0ba406d1ac4883b354578727e6e6cebeda4b729e0ec491f2f21
SSDEEP

12288:S0KOUxpcOoZetp6HZK/FmVtpedrTmA9vuvHj5SM6Sh5vHfzpW4HZ6FylI:Bypc5oNmQdPmA92vHjc9S/v7pW+mkI

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b8e-35.dat	family_ardamax

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Exporer32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
4808	Exporer32.exe
2060	NXLJ.exe
3016	crackerelgrande14505.exe

Loads dropped DLL 5 IoCs

pid	Process
4808	Exporer32.exe
2060	NXLJ.exe
2060	NXLJ.exe
2060	NXLJ.exe
3016	crackerelgrande14505.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\NXLJ.exe	Exporer32.exe
File created	C:\Windows\SysWOW64\Sys\AKV.exe	Exporer32.exe
File opened for modification	C:\Windows\SysWOW64\Sys	NXLJ.exe
File created	C:\Windows\SysWOW64\Sys\NXLJ.001	Exporer32.exe
File created	C:\Windows\SysWOW64\Sys\NXLJ.006	Exporer32.exe
File created	C:\Windows\SysWOW64\Sys\NXLJ.007	Exporer32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PCGWIN32.LI4	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exporer32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NXLJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crackerelgrande14505.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{193A182A-481A7B99-3AA599F9-D8D90F3C}	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{193A182A-481A7B99-3AA599F9-D8D90F3C}\ = a949cc017c5bf0e901a47ceb3126c8cb01c15ccc6cdca01160278615f4a7f74a75204bb6a67a3af0480582686f7cbdb2cc761e4ad25e1e6c45e3ab86fc0fe0c26f6e7d02f35ef12c449eaa53e1d13fe78d5ae09666258a74e6cacb19be9373eef97db4f3f446b7247578c7c80a6361c94300c952a06ef9fc088d04dca82d65ff38b2b0ff7b72f1f0343d7a333649fa43492e47c3c51ef7927a1948ab84e6696a3b007178cff45d0aef467d5acfd65d24ef54bd64f0e848fe380d34c30aa626f584384932e74ee55c54d0981329913f984dac0361c977a345c62b5ab910776485b4db87d6e56af49889d05c2dd2df9112d326960464bac64f053d1b8f915d60af15bda7f0aa3526c79a9ad1d15f6ced9c63d1212797856ac42078b8f44e05dc37ec859f646d37df85edb8a0cf9afd514c93011e6852bf987250469c54d266df6a6d4663b4d1b424bb4a09983b1049162364c10a7098b317fe65b3f7818ab8ffb44d07a3dae96804589aea91c7d73aea8881e5403b93b1e68fda822f801d252fd4bd9b7011caebf8190913df29d2a3e09199d86c92de6fecdd7dd0b3940697655a3891f1d84fd05d2590e7161a9a6e289c1e126d584314d9e6d75b9a29a89b3d11cf17225a4868a2de16ad649f3692346fc4a2e520189aed10df28d27f05da62f95f90609d35a1e56252ae51e066c2d1252992996bdb463abe943ded49d3ccf854e84f273c966129b9edc828c55c27056c	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{193A182A-481A7B99-3AA599F9-D8D90F3C}\ = a949cc017c5bf0e901a47ceb3126c8cb01c15ccc6cdca01160278615f4a7f74a75204bb6a67a3af0480582686f7cbdb2cc761e4ad25e1e6c527e5872fb0fe0c26f6e7d02f35ef12c449eaa53e1d13fe78d5ae09666258a74e6cacb19be9373eef97db4f3f446b7247578c7c80a6361c94300c952a06ef9fc088d04dca82d65ff38b2b0ff7b72f1f0343d7a333649fa43492e47c3c51ef7927a1948ab84e6696a3b007178cff45d0aef467d5acfd65d24ef54bd64f0e848fe380d34c30aa626f584384932e74ee55c54d0981329913f984dac0361c977a345c62b5ab910776485b4db87d6e56af49889d05c2dd2df9112d326960464bac64f053d1b8f915d60af15bda7f0aa3526c79a9ad1d15f6ced9c63d1212797856ac42078b8f44e05dc37ec859f646d37df85edb8a0cf9afd514c93011e6852bf987250469c54d266df6a6d4663b4d1b424bb4a09983b1049162364c10a7098b317fe65b3f7818ab8ffb44d07a3dae96804589aea91c7d73aea8881e5403b93b1e68fda822f801d252fd4bd9b7011caebf8190913df29d2a3e09199d86c92de6fecdd7dd0b3940697655a3891f1d84fd05d2590e7161a9a6e289c1e126d584314d9e6d75b9a29a89b3d11cf17225a4868a2de16ad649f3692346fc4a2e520189aed10df28d27f05da62f95f90609d35a1e56252ae51e066c2d1252992996bdb463abe943ded49d3ccf854e84f273c966129b9edc828c50b61d671	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}\ = "3427902422"	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{193A182A-481A7B99-3AA599F9-D8D90F3C}\ = a949cc017c5bf0e901a47ceb3126c8cb01c15ccc6cdca01160278615f4a7f74a75204bb6a67a3af0480582686f7cbdb2cc761e4ad25e1e6c527e5872fb0fe0c2b9cd2ccef35ef12c449eaa53e1d13fe78d5ae09666258a74e6cacb19be9373eef97db4f3f446b7247578c7c80a6361c94300c952a06ef9fc088d04dca82d65ff38b2b0ff7b72f1f0343d7a333649fa43492e47c3c51ef7927a1948ab84e6696a3b007178cff45d0aef467d5acfd65d24ef54bd64f0e848fe380d34c30aa626f584384932e74ee55c54d0981329913f984dac0361c977a345c62b5ab910776485b4db87d6e56af49889d05c2dd2df9112d326960464bac64f053d1b8f915d60af15bda7f0aa3526c79a9ad1d15f6ced9c63d1212797856ac42078b8f44e05dc37ec859f646d37df85edb8a0cf9afd514c93011e6852bf987250469c54d266df6a6d4663b4d1b424bb4a09983b1049162364c10a7098b317fe65b3f7818ab8ffb44d07a3dae96804589aea91c7d73aea8881e5403b93b1e68fda822f801d252fd4bd9b7011caebf8190913df29d2a3e09199d86c92de6fecdd7dd0b3940697655a3891f1d84fd05d2590e7161a9a6e289c1e126d584314d9e6d75b9a29a89b3d11cf17225a4868a2de16ad649f3692346fc4a2e520189aed10df28d27f36b760f95f90609d35a1e56252ae51e066c2d1252992996bdb463abe943ded49d3ccf854e84f273c966129b9edc828c57b06e22c	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2060	NXLJ.exe
Token: SeIncBasePriorityPrivilege	2060	NXLJ.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
2060	NXLJ.exe
3016	crackerelgrande14505.exe
3016	crackerelgrande14505.exe
2060	NXLJ.exe
2060	NXLJ.exe
2060	NXLJ.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 4808	2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe	83
PID 2908 wrote to memory of 4808	2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe	83
PID 2908 wrote to memory of 4808	2908	abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe	83
PID 4808 wrote to memory of 2060	4808	Exporer32.exe	84
PID 4808 wrote to memory of 2060	4808	Exporer32.exe	84
PID 4808 wrote to memory of 2060	4808	Exporer32.exe	84
PID 4808 wrote to memory of 3016	4808	Exporer32.exe	85
PID 4808 wrote to memory of 3016	4808	Exporer32.exe	85
PID 4808 wrote to memory of 3016	4808	Exporer32.exe	85

C:\Users\Admin\AppData\Local\Temp\abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\abe12539eb925c14706dcdd910b213c2_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
  "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\Sys\NXLJ.exe
    "C:\Windows\system32\Sys\NXLJ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2060
- - C:\Users\Admin\AppData\Local\Temp\crackerelgrande14505.exe
    "C:\Users\Admin\AppData\Local\Temp\crackerelgrande14505.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@81C3.tmp

Filesize
4KB

MD5
b429300c8148810d2e6a8d40009fc124

SHA1
93ec9660cc0d68cadc6c7f44b35ea0a0ef684ae8

SHA256
98445d51b61014815fc43e44933e5dc126c4fe763545141e78ee1358e487b4b7

SHA512
47a1cfdba6c1e04a322116538a62b22d61cf6b31966e53cfe4e54eb75a58530a7636e3deffcfb7e96ff2bdae2b99c7bcb312685d1ceac2f79c118f6347bf2407

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
534KB

MD5
9be15f67eb0b2ebf7aa93afea86e4ba2

SHA1
b887fac7cfc1f8911b7174ae0848be83c3a8dfbb

SHA256
26550f0b37c019ab3ba5fd572d9bdbd44491c26ee564e44e0606aace7a793426

SHA512
87a7e7b3a9677eb3f583d86f5881097a6967121d57eb84e961e63fca4524c4091bde94b75b2fb8214c4600d5c01585e20da84e1d52fe0fb63ae416d76aef5f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\crackerelgrande14505.exe

Filesize
304KB

MD5
4110952edcfd2759acc7e617d898bb80

SHA1
fed4804ed5573b7f73da8e910c1c06ea8688f33d

SHA256
6b2e6bbb4a3631f3697126867be69b9058068dc91118ef510d2d043981b67785

SHA512
1943588cc2e0ebaf9abf3a56375f9c99af7fba10a9ab59bced6dfd945be23d21a789353ad4ae289f280345fd0d5f159a56aeefd27602c3d993e6161068f4c3c1

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
387KB

MD5
bcf6fab667525797024d0962e41e9b7b

SHA1
86b3d41b65eb4ed85c6610a4bb595df787bb2a6a

SHA256
916385eb000bc6011cac9b11d89fd08ffaaddf7d727f9c9bf0764bbcf905b877

SHA512
7e04832d129e3bacb4d4d83259ec02e1e6f5da4da742dbbf010345ccd90a0547e12fcca68da3cff284687a112f570ca269596512605715b3477ae99933afc82c

Download Submit
C:\Windows\SysWOW64\Sys\NXLJ.001

Filesize
3KB

MD5
aa4f77715add7cc635a8f8c16849dcc2

SHA1
43b3f0de95c0e651ecb6a444dbb8971c1a4742ff

SHA256
42555778b45b9c6c4b568993658e4d2449db269956ef0d009ca9807581ed8e77

SHA512
508138b8d9976e3da9e1354321a585d0eca5319b0fdcaf763da1d8af0b44ac49385d414d14826e79b7d3dd033c0d011b2eb7caf4be72c458cbb866662d142e83

Download Submit
C:\Windows\SysWOW64\Sys\NXLJ.006

Filesize
5KB

MD5
3a2ef41ad6d9415229e0b76ec6df1baf

SHA1
e72f2c0d664a4d2323872bd1f586ec60bb0a6342

SHA256
b7e321cf9dacead275e600c2b531e96a62c671e0a2d641e141acbefb509adf2b

SHA512
b8d5f62e7da21d4114f8764afb16bc409921935d3440f8e712740a50dd7a01f850cfda31f0a4b41e4f514d6bb64e407a83e8e034e5be65cddde27817c728caeb

Download Submit
C:\Windows\SysWOW64\Sys\NXLJ.007

Filesize
4KB

MD5
cb576a1e67ddeb42dc0e23a541cefdb8

SHA1
9684e67a013de4f0f5066856f553674db0f2749c

SHA256
8a9a4e62b646f072f6c1b5415b8461af96db307f59c4d32c9e4f455477ffc221

SHA512
e173475fbf9541daa6790133ceef4b8af414491c0a198e356ba1b1c2fcbdcf7044e8b8ae22d72f39b2b7b888e254fd742b9b09ae3c4e63fa64b5171508247942

Download Submit
C:\Windows\SysWOW64\Sys\NXLJ.exe

Filesize
468KB

MD5
4b64ea8b01e25e1af067d11698778ce4

SHA1
20c4d03590cc3ef10e0b3ddbfcdf6fbb41149847

SHA256
08b9f18c1098036ae8830caae054c451c66478490dcd4c653a01abaa937ee7c5

SHA512
5bea198540fa4dd9234017ec3e7a0cf79da4d3bc53cb715a3a6335567c08ff0871b886d6f4dd80e9f4e9df4cac8be392fc7d0e3456c14624583c6cf337ce65d0

Download Submit
memory/2060-57-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2060-65-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2908-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2908-30-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2908-31-0x0000000002170000-0x0000000002185000-memory.dmp

Filesize
84KB

Download
memory/2908-1-0x0000000002170000-0x0000000002185000-memory.dmp

Filesize
84KB

Download