Analysis Overview
SHA256
685a8fcb7894acbd04b96b69651870187dd9539a959a5b363522ce74b9ff741e
Threat Level: Known bad
The file PurchaseOrder.xls was found to be: Known bad.
Malicious Activity Summary
Lokibot family
Lokibot
Downloads MZ/PE file
Office macro that triggers on suspicious action
Suspicious Office macro
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
outlook_office_path
outlook_win_path
Suspicious use of SetWindowsHookEx
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 12:56
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 12:56
Reported
2025-01-27 12:58
Platform
win7-20240903-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
Lokibot
Lokibot family
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 636 set thread context of 2204 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe |
| PID 636 set thread context of 2540 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.xls
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe"
Network
| Country | Destination | Domain | Proto |
| LV | 46.183.222.162:80 | 46.183.222.162 | tcp |
Files
memory/2936-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2936-1-0x000000007285D000-0x0000000072868000-memory.dmp
memory/2936-4-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-3-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-2-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-5-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-6-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-7-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-8-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-9-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-20-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-24-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-23-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-22-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-21-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-19-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-18-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-17-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-16-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-14-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-15-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-13-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-11-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-12-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-10-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-27-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-35-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-37-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-36-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-34-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-33-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-32-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-31-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-30-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-29-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-28-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-26-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-25-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-38-0x000000007285D000-0x0000000072868000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
| MD5 | 8896e46cdf15e1dae71e64d61464b8d2 |
| SHA1 | f64c70192d830dce8daca2531662521bc7439af0 |
| SHA256 | 6ecc82c2ba384129c19d83312baa7ccff19011a013b16f2459b29865484bfcab |
| SHA512 | 41716d412655fb55188e5ddb1a3e5517a2205c7bff49a3b98fc277b1a56a763a9009779787e8f0ba7c3265e4b05cf48c101b1ae0523f99e9296c9616bdf11b96 |
memory/636-55-0x00000000003F0000-0x0000000000442000-memory.dmp
memory/2540-57-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2936-59-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2936-60-0x0000000000430000-0x0000000000530000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 12:56
Reported
2025-01-27 12:58
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
141s
Command Line
Signatures
Lokibot
Lokibot family
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 512 set thread context of 468 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe |
| PID 512 set thread context of 2104 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.xls"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| LV | 46.183.222.162:80 | 46.183.222.162 | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.222.183.46.in-addr.arpa | udp |
| NL | 85.31.47.84:5336 | 85.31.47.84 | tcp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.47.31.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 85.31.47.84:5336 | 85.31.47.84 | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| NL | 85.31.47.84:5336 | 85.31.47.84 | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/5092-1-0x00007FF81C3CD000-0x00007FF81C3CE000-memory.dmp
memory/5092-0-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp
memory/5092-3-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp
memory/5092-4-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp
memory/5092-2-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp
memory/5092-5-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp
memory/5092-9-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-8-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-12-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-11-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-10-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-13-0x00007FF7DA1E0000-0x00007FF7DA1F0000-memory.dmp
memory/5092-7-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-14-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-6-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-15-0x00007FF7DA1E0000-0x00007FF7DA1F0000-memory.dmp
memory/5092-16-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-19-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-20-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-18-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-17-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-56-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
| MD5 | 8896e46cdf15e1dae71e64d61464b8d2 |
| SHA1 | f64c70192d830dce8daca2531662521bc7439af0 |
| SHA256 | 6ecc82c2ba384129c19d83312baa7ccff19011a013b16f2459b29865484bfcab |
| SHA512 | 41716d412655fb55188e5ddb1a3e5517a2205c7bff49a3b98fc277b1a56a763a9009779787e8f0ba7c3265e4b05cf48c101b1ae0523f99e9296c9616bdf11b96 |
memory/5092-87-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/512-88-0x0000000000570000-0x00000000005C2000-memory.dmp
memory/512-89-0x0000000005040000-0x00000000050DC000-memory.dmp
memory/468-90-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/468-92-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/5092-97-0x00007FF81C3CD000-0x00007FF81C3CE000-memory.dmp
memory/5092-98-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-102-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/5092-103-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\0f5007522459c86e95ffcc62f32308f1_5ab270f5-f3a9-47d1-97d7-bbd50acf9955
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
memory/468-125-0x0000000000400000-0x00000000004A2000-memory.dmp