Malware Analysis Report

2024-11-13 16:14

Sample ID 240410-wasyaaac61
Target eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118
SHA256 dfbddd593573d22f463ddb6d75e59aa37dae2b7c130d81fb7a79c57457d7cab8
Tags
lokibot agilenet collection spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dfbddd593573d22f463ddb6d75e59aa37dae2b7c130d81fb7a79c57457d7cab8

Threat Level: Known bad

The file eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

lokibot agilenet collection spyware stealer trojan

Lokibot

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

outlook_office_path

Suspicious behavior: EnumeratesProcesses

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 17:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 17:43

Reported

2024-04-10 17:46

Platform

win7-20231129-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe"

Signatures

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 23.62.61.194:443 www.bing.com tcp
GB 142.250.178.4:443 www.google.com tcp
NL 23.62.61.97:443 www.bing.com tcp

Files

memory/1364-0-0x0000000000390000-0x000000000042E000-memory.dmp

memory/1364-1-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/1364-2-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/1364-17-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/1364-18-0x0000000004CD0000-0x0000000004D10000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 17:43

Reported

2024-04-10 17:46

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe"

Signatures

Lokibot

trojan spyware stealer lokibot

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2820 set thread context of 5088 N/A C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2820 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2820 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2820 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2820 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2820 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2820 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2820 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2820 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eba2a39642c4b7ce44b43e04056633e8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 pualofficelogs.xyz udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 pualofficelogs.xyz udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/2820-0-0x0000000000290000-0x000000000032E000-memory.dmp

memory/2820-1-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/2820-2-0x0000000005430000-0x00000000059D4000-memory.dmp

memory/2820-3-0x0000000004D40000-0x0000000004DD2000-memory.dmp

memory/2820-4-0x0000000004E80000-0x00000000051D4000-memory.dmp

memory/2820-5-0x00000000052A0000-0x000000000533C000-memory.dmp

memory/2820-6-0x0000000005290000-0x00000000052A0000-memory.dmp

memory/2820-7-0x0000000005400000-0x0000000005428000-memory.dmp

memory/2820-8-0x00000000068F0000-0x0000000006956000-memory.dmp

memory/2820-9-0x00000000068B0000-0x00000000068D2000-memory.dmp

memory/2820-10-0x0000000005290000-0x00000000052A0000-memory.dmp

memory/2820-11-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/2820-12-0x0000000005290000-0x00000000052A0000-memory.dmp

memory/2820-13-0x0000000005290000-0x00000000052A0000-memory.dmp

memory/2820-15-0x0000000006B40000-0x0000000006B54000-memory.dmp

memory/2820-16-0x0000000009660000-0x0000000009666000-memory.dmp

memory/5088-18-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 9827ff3cdf4b83f9c86354606736ca9c
SHA1 e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256 c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA512 8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

memory/5088-22-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2820-23-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/5088-24-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-557049126-2506969350-2798870634-1000\0f5007522459c86e95ffcc62f32308f1_571594ad-b717-4cea-93ae-747ab327a92a

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-557049126-2506969350-2798870634-1000\0f5007522459c86e95ffcc62f32308f1_571594ad-b717-4cea-93ae-747ab327a92a

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/5088-67-0x0000000000400000-0x00000000004A2000-memory.dmp