Malware Analysis Report

2024-10-19 01:01

Sample ID 240829-b74e3azapn
Target c8056ae3550f96b2bd901796bede1537_JaffaCakes118
SHA256 f9f5c4b1c131a8855e7e48bcf71a8770f43d66d48092534a3abad57109574c43
Tags
trickbot banker discovery evasion execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9f5c4b1c131a8855e7e48bcf71a8770f43d66d48092534a3abad57109574c43

Threat Level: Known bad

The file c8056ae3550f96b2bd901796bede1537_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

trickbot banker discovery evasion execution trojan

Trickbot x86 loader

Trickbot

Stops running service(s)

Loads dropped DLL

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Drops file in System32 directory

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 01:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 01:48

Reported

2024-08-29 01:50

Platform

win7-20240708-en

Max time kernel

134s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe"

Signatures

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion execution

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
PID 2092 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
PID 2092 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
PID 2092 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
PID 2132 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2132 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2132 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2132 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2116 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2116 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2116 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2116 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2824 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 2228 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\taskeng.exe

taskeng.exe {D532ACC5-8170-405F-9709-EE3831FD7E1E} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/2092-18-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2092-17-0x0000000000412000-0x0000000000413000-memory.dmp

memory/2092-7-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-15-0x0000000000340000-0x000000000036B000-memory.dmp

memory/2092-14-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-13-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-12-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-11-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-9-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-5-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-4-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-3-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-2-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

MD5 c8056ae3550f96b2bd901796bede1537
SHA1 1419cd277acde2f228361c586fe7cd002734ca2b
SHA256 f9f5c4b1c131a8855e7e48bcf71a8770f43d66d48092534a3abad57109574c43
SHA512 20a385c705fc2ee50a135e2d733024cef9e65cc7b6ebc4df45079fb228affcc5b4ed5056894f88e8df3033a6b6426fbe32242e4e4072aab4e3ce3bfea19bacab

memory/2824-44-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2624-50-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2624-49-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2824-41-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2824-40-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2824-45-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2824-39-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2824-46-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2824-38-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2824-37-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2824-36-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2824-35-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2824-34-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2824-33-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2824-32-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2824-31-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2824-30-0x0000000000290000-0x0000000000291000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c718c4a32c32af239c85a750c812ac89
SHA1 43450335cacc82afe61ab87c4355cb4679360d01
SHA256 40fad21393bdabeba960eb71ccb0fe96f36349b0e766edfbae2d7182b4882ea5
SHA512 a67f1ccf7de66a95e5de3ccf0a0dc6751b5bf9e7fb0cef0c255b3a3657fac9d6857ab9d929f8b33b890451f91d094cc932ac936ed8c415f9dffb9a14fb68b08c

memory/3004-93-0x0000000000350000-0x0000000000351000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-29 01:48

Reported

2024-08-29 01:50

Platform

win10v2004-20240802-en

Max time kernel

135s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe"

Signatures

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
PID 4704 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
PID 4704 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 4264 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 100 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe
PID 216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c8056ae3550f96b2bd901796bede1537_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
IN 103.47.168.72:449 tcp
IN 103.47.168.72:449 tcp

Files

memory/4704-3-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4704-4-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4704-2-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4704-16-0x0000000002230000-0x000000000225B000-memory.dmp

memory/4704-18-0x0000000000400000-0x000000000048B000-memory.dmp

memory/4704-15-0x0000000000412000-0x0000000000413000-memory.dmp

memory/4704-14-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4704-13-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4704-12-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4704-11-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4704-10-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4704-9-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4704-8-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4704-7-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4704-6-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4704-5-0x0000000002220000-0x0000000002221000-memory.dmp

C:\Users\Admin\AppData\Roaming\cleanmem\c9067ae3660f97b2bd901897bede1638_KaffaDalet119.exe

MD5 c8056ae3550f96b2bd901796bede1537
SHA1 1419cd277acde2f228361c586fe7cd002734ca2b
SHA256 f9f5c4b1c131a8855e7e48bcf71a8770f43d66d48092534a3abad57109574c43
SHA512 20a385c705fc2ee50a135e2d733024cef9e65cc7b6ebc4df45079fb228affcc5b4ed5056894f88e8df3033a6b6426fbe32242e4e4072aab4e3ce3bfea19bacab

memory/4264-35-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4264-26-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4264-37-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4264-45-0x0000000000400000-0x000000000048B000-memory.dmp

memory/4264-41-0x0000000010000000-0x0000000010007000-memory.dmp

memory/4264-40-0x0000000010000000-0x0000000010007000-memory.dmp

memory/4264-36-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4264-34-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4264-33-0x0000000000650000-0x0000000000651000-memory.dmp

memory/3148-47-0x0000000010000000-0x0000000010020000-memory.dmp

memory/3148-51-0x0000020D18670000-0x0000020D18671000-memory.dmp

memory/3148-46-0x0000000010000000-0x0000000010020000-memory.dmp

memory/4264-32-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4264-31-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4264-30-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4264-29-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4264-28-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4264-27-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4264-52-0x0000000002890000-0x000000000294E000-memory.dmp

memory/4264-53-0x0000000002D70000-0x0000000003039000-memory.dmp

memory/100-58-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/100-59-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/100-60-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/100-61-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/100-62-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/100-65-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/100-68-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/100-67-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/100-66-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/100-64-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/100-63-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/100-71-0x0000000000400000-0x000000000048B000-memory.dmp

memory/100-70-0x0000000000412000-0x0000000000413000-memory.dmp

memory/100-69-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

C:\Users\Admin\AppData\Roaming\cleanmem\settings.ini

MD5 25dd3316497b3be3c08a5937b9d15437
SHA1 4134cc4ca8ef78eb528254d2e25f16375caef900
SHA256 03a4dd1c8fd004200f3687277bf25e09a61872305aebccdeed30d222e74fb2ee
SHA512 0e322d2bcf901ee54dc9731d09583b4c9a6694a417e581af597217d48eed7673e195149aedb3969ea91b4c83926e24704c5baae1eede7d0c7d9b9a4869eb40eb