Analysis Overview
SHA256
f9f5c4b1c131a8855e7e48bcf71a8770f43d66d48092534a3abad57109574c43
Threat Level: Known bad
The file c8056ae3550f96b2bd901796bede1537_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Trickbot x86 loader
Trickbot
Stops running service(s)
Loads dropped DLL
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-29 01:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-29 01:48
Reported
2024-08-29 01:50
Platform
win7-20240708-en
Max time kernel
134s
Max time network
120s
Command Line
Signatures
Trickbot
Trickbot x86 loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\taskeng.exe
taskeng.exe {D532ACC5-8170-405F-9709-EE3831FD7E1E} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
Network
Files
memory/2092-18-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2092-17-0x0000000000412000-0x0000000000413000-memory.dmp
memory/2092-7-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2092-15-0x0000000000340000-0x000000000036B000-memory.dmp
memory/2092-14-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2092-13-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2092-12-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2092-11-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2092-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2092-9-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2092-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2092-6-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2092-5-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2092-4-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2092-3-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2092-2-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
| MD5 | c8056ae3550f96b2bd901796bede1537 |
| SHA1 | 1419cd277acde2f228361c586fe7cd002734ca2b |
| SHA256 | f9f5c4b1c131a8855e7e48bcf71a8770f43d66d48092534a3abad57109574c43 |
| SHA512 | 20a385c705fc2ee50a135e2d733024cef9e65cc7b6ebc4df45079fb228affcc5b4ed5056894f88e8df3033a6b6426fbe32242e4e4072aab4e3ce3bfea19bacab |
memory/2824-44-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2624-50-0x0000000010000000-0x0000000010020000-memory.dmp
memory/2624-49-0x0000000010000000-0x0000000010020000-memory.dmp
memory/2824-41-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2824-40-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2824-45-0x0000000010000000-0x0000000010007000-memory.dmp
memory/2824-39-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2824-46-0x0000000010000000-0x0000000010007000-memory.dmp
memory/2824-38-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2824-37-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2824-36-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2824-35-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2824-34-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2824-33-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2824-32-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2824-31-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2824-30-0x0000000000290000-0x0000000000291000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c718c4a32c32af239c85a750c812ac89 |
| SHA1 | 43450335cacc82afe61ab87c4355cb4679360d01 |
| SHA256 | 40fad21393bdabeba960eb71ccb0fe96f36349b0e766edfbae2d7182b4882ea5 |
| SHA512 | a67f1ccf7de66a95e5de3ccf0a0dc6751b5bf9e7fb0cef0c255b3a3657fac9d6857ab9d929f8b33b890451f91d094cc932ac936ed8c415f9dffb9a14fb68b08c |
memory/3004-93-0x0000000000350000-0x0000000000351000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-29 01:48
Reported
2024-08-29 01:50
Platform
win10v2004-20240802-en
Max time kernel
135s
Max time network
128s
Command Line
Signatures
Trickbot
Trickbot x86 loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| IN | 103.47.168.72:449 | tcp | |
| IN | 103.47.168.72:449 | tcp |
Files
memory/4704-3-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4704-4-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4704-2-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4704-16-0x0000000002230000-0x000000000225B000-memory.dmp
memory/4704-18-0x0000000000400000-0x000000000048B000-memory.dmp
memory/4704-15-0x0000000000412000-0x0000000000413000-memory.dmp
memory/4704-14-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4704-13-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4704-12-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4704-11-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4704-10-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4704-9-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4704-8-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4704-7-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4704-6-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4704-5-0x0000000002220000-0x0000000002221000-memory.dmp
C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
| MD5 | c8056ae3550f96b2bd901796bede1537 |
| SHA1 | 1419cd277acde2f228361c586fe7cd002734ca2b |
| SHA256 | f9f5c4b1c131a8855e7e48bcf71a8770f43d66d48092534a3abad57109574c43 |
| SHA512 | 20a385c705fc2ee50a135e2d733024cef9e65cc7b6ebc4df45079fb228affcc5b4ed5056894f88e8df3033a6b6426fbe32242e4e4072aab4e3ce3bfea19bacab |
memory/4264-35-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4264-26-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4264-37-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4264-45-0x0000000000400000-0x000000000048B000-memory.dmp
memory/4264-41-0x0000000010000000-0x0000000010007000-memory.dmp
memory/4264-40-0x0000000010000000-0x0000000010007000-memory.dmp
memory/4264-36-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4264-34-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4264-33-0x0000000000650000-0x0000000000651000-memory.dmp
memory/3148-47-0x0000000010000000-0x0000000010020000-memory.dmp
memory/3148-51-0x0000020D18670000-0x0000020D18671000-memory.dmp
memory/3148-46-0x0000000010000000-0x0000000010020000-memory.dmp
memory/4264-32-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4264-31-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4264-30-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4264-29-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4264-28-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4264-27-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4264-52-0x0000000002890000-0x000000000294E000-memory.dmp
memory/4264-53-0x0000000002D70000-0x0000000003039000-memory.dmp
memory/100-58-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/100-59-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/100-60-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/100-61-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/100-62-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/100-65-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/100-68-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/100-67-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/100-66-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/100-64-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/100-63-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/100-71-0x0000000000400000-0x000000000048B000-memory.dmp
memory/100-70-0x0000000000412000-0x0000000000413000-memory.dmp
memory/100-69-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
C:\Users\Admin\AppData\Roaming\cleanmem\settings.ini
| MD5 | 25dd3316497b3be3c08a5937b9d15437 |
| SHA1 | 4134cc4ca8ef78eb528254d2e25f16375caef900 |
| SHA256 | 03a4dd1c8fd004200f3687277bf25e09a61872305aebccdeed30d222e74fb2ee |
| SHA512 | 0e322d2bcf901ee54dc9731d09583b4c9a6694a417e581af597217d48eed7673e195149aedb3969ea91b4c83926e24704c5baae1eede7d0c7d9b9a4869eb40eb |