Malware Analysis Report

2024-11-30 23:38

Sample ID 240417-qwe1nahg96
Target 3bab54a2bc096159964f2ddbcce93437dd97f3d9e00bca81dc37d5938afebe99
SHA256 3bab54a2bc096159964f2ddbcce93437dd97f3d9e00bca81dc37d5938afebe99
Tags
lokibot spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bab54a2bc096159964f2ddbcce93437dd97f3d9e00bca81dc37d5938afebe99

Threat Level: Known bad

The file 3bab54a2bc096159964f2ddbcce93437dd97f3d9e00bca81dc37d5938afebe99 was found to be: Known bad.

Malicious Activity Summary

lokibot spyware stealer trojan

Lokibot

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 13:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 13:36

Reported

2024-04-17 13:40

Platform

win7-20240221-en

Max time kernel

205s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe"

Signatures

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\schtasks.exe
PID 2296 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\schtasks.exe
PID 2296 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe

"C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tLWNXdp.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tLWNXdp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B22.tmp"

Network

N/A

Files

memory/2296-0-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/2296-1-0x000000013F370000-0x000000013F408000-memory.dmp

memory/2296-2-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/2296-3-0x000000001AE70000-0x000000001AEF0000-memory.dmp

memory/2296-4-0x0000000000820000-0x000000000083A000-memory.dmp

memory/2296-5-0x000000001AE70000-0x000000001AEF0000-memory.dmp

memory/2296-6-0x0000000000190000-0x00000000001A2000-memory.dmp

memory/2296-7-0x0000000000710000-0x0000000000720000-memory.dmp

memory/2296-8-0x0000000002640000-0x00000000026A0000-memory.dmp

memory/580-13-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

memory/580-14-0x0000000002290000-0x0000000002298000-memory.dmp

memory/580-20-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/580-22-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/580-21-0x000007FEED830000-0x000007FEEE1CD000-memory.dmp

memory/580-23-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/580-18-0x000007FEED830000-0x000007FEEE1CD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 63e732a96c9c3546f69d2cc3849b2d97
SHA1 235213fd843192720848c2fc6a6a2c10e673cddb
SHA256 219ebd91f85fba608c3004e47eca2580f86b9955b4f2588301979b954c2393be
SHA512 17f3946cf6987ce11f6852898c37c1a27ffb6ca7dfe6c1149fea5de976a8479d470e75c1f22d6e124ee3ce487c2554c457568819365701c1426f2fd2521e5c61

memory/1364-29-0x000007FEED830000-0x000007FEEE1CD000-memory.dmp

memory/1364-30-0x0000000002480000-0x0000000002500000-memory.dmp

memory/1364-31-0x000007FEED830000-0x000007FEEE1CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6B22.tmp

MD5 b694b62ad09cc303ddbe614b20935e93
SHA1 c0b63ab11869dc79964f415660a7fd5ada197591
SHA256 dc62bf68c317462c90284730b6fd88f96cc217721283916116fcb110b284963f
SHA512 7ef2fc087a83ac261d501e611833e8229608583c840cbbbab1f87faf2fcaeda67942143eb0a9c316bea152fc958216d2ba1673b1a04b5c495d168ffeafcd23e7

memory/1364-32-0x0000000002480000-0x0000000002500000-memory.dmp

memory/1364-34-0x0000000002480000-0x0000000002500000-memory.dmp

memory/580-35-0x000007FEED830000-0x000007FEEE1CD000-memory.dmp

memory/1364-36-0x000007FEED830000-0x000007FEEE1CD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 13:36

Reported

2024-04-17 13:39

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe"

Signatures

Lokibot

trojan spyware stealer lokibot

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\schtasks.exe
PID 3192 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Windows\System32\schtasks.exe
PID 3192 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe
PID 3192 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe
PID 3192 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe

"C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tLWNXdp.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tLWNXdp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD983.tmp"

C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe

C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 72.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/3192-0-0x0000000000DD0000-0x0000000000E68000-memory.dmp

memory/3192-1-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/3192-2-0x000000001CB30000-0x000000001CB40000-memory.dmp

memory/3192-3-0x0000000001860000-0x000000000187A000-memory.dmp

memory/3192-4-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/3192-5-0x000000001CB30000-0x000000001CB40000-memory.dmp

memory/3192-6-0x0000000001E70000-0x0000000001E82000-memory.dmp

memory/3192-7-0x00000000039F0000-0x0000000003A00000-memory.dmp

memory/3192-8-0x000000001E6C0000-0x000000001E720000-memory.dmp

memory/2116-11-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/2116-13-0x00000277B4250000-0x00000277B4260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o1qrazjo.qof.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2116-24-0x00000277B4220000-0x00000277B4242000-memory.dmp

memory/3620-25-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/2116-26-0x00000277B4250000-0x00000277B4260000-memory.dmp

memory/3620-27-0x000001C66A410000-0x000001C66A420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD983.tmp

MD5 20ab84e669198b9e93d3603f116c27e0
SHA1 610dcdc6e7e14cb8dc272d59ac713cee25822bc9
SHA256 f1babbd4f160778d2fa2faa959bddea1d4c18c1da9cc6b3e6df3e331a555c57d
SHA512 057b78ee9da31a52c9c969682db1b53e802ed0f67f992202b06260e81f04c9fa85a0f0600cc67336ca5a0fd1368cec87fc13bb8c26799b304387ef5289be7a17

memory/3192-38-0x000000001D9C0000-0x000000001DA62000-memory.dmp

memory/3192-41-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/2116-42-0x00000277B4250000-0x00000277B4260000-memory.dmp

memory/3620-43-0x000001C66A410000-0x000001C66A420000-memory.dmp

memory/2116-46-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/3620-50-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp