Malware Analysis Report

2024-10-23 15:30

Sample ID 240502-ch8h6aea5t
Target b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c
SHA256 b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c
Tags
kpot trickbot banker evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c

Threat Level: Known bad

The file b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c was found to be: Known bad.

Malicious Activity Summary

kpot trickbot banker evasion stealer trojan

Kpot family

Trickbot x86 loader

Trickbot

KPOT Core Executable

KPOT

Stops running service(s)

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-02 02:05

Signatures

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kpot family

kpot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 02:05

Reported

2024-05-02 02:08

Platform

win7-20240221-en

Max time kernel

135s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe
PID 2184 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe
PID 2184 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe
PID 2184 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe
PID 2948 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2948 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2948 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2948 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2512 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2512 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2512 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2512 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2584 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1464 wrote to memory of 2720 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe
PID 1464 wrote to memory of 2720 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe
PID 1464 wrote to memory of 2720 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe
PID 1464 wrote to memory of 2720 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe
PID 2720 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2720 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2720 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 2720 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe

"C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe"

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {D54CAE31-5928-47B7-9016-2AA48E305B37} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/2184-6-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-8-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-7-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-5-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-4-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-3-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-2-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-10-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-11-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-9-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-13-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-14-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-12-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-15-0x00000000003C0000-0x00000000003E9000-memory.dmp

memory/2184-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2184-17-0x0000000000421000-0x0000000000422000-memory.dmp

\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

MD5 5c4906004e74ec9700226dd3ec8fab6d
SHA1 4a6f23f7f2b71f48a2a8ff357005b4030003c3f9
SHA256 b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c
SHA512 2bf8d979fd75ff12518206a3e988ba926be3a8a17e797ea9972633c1685303f62de65db950e3dd9abd1d492b50749890899066f2d0a16613d747ab2b9eaa233e

memory/2768-41-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2768-40-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2768-39-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2768-38-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2768-37-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2768-36-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2768-35-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2768-34-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2768-33-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2768-32-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2768-31-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2768-30-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2768-44-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2416-50-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2416-49-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2768-45-0x0000000010000000-0x0000000010007000-memory.dmp

memory/3000-88-0x0000000000250000-0x0000000000251000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 02:05

Reported

2024-05-02 02:08

Platform

win10v2004-20240419-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe
PID 4980 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe
PID 4980 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 1932 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 5072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe

"C:\Users\Admin\AppData\Local\Temp\b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c.exe"

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 107.172.108.137:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 107.172.108.137:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 107.172.108.137:443 tcp
PK 125.209.82.158:449 tcp

Files

memory/4980-2-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4980-10-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4980-15-0x0000000002380000-0x00000000023A9000-memory.dmp

memory/4980-4-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4980-3-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4980-14-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4980-17-0x0000000000421000-0x0000000000422000-memory.dmp

memory/4980-13-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4980-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4980-12-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4980-11-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4980-9-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4980-8-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4980-7-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4980-6-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4980-5-0x0000000002360000-0x0000000002361000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\b3f11a399dfa71622c1a34822889317eae9c21afcc120a01c920f4f199a6ce7c.exe

MD5 5c4906004e74ec9700226dd3ec8fab6d
SHA1 4a6f23f7f2b71f48a2a8ff357005b4030003c3f9
SHA256 b3f11a399dfa61522c1a34722779316eae8c21afcc120a01c820f4f198a5ce6c
SHA512 2bf8d979fd75ff12518206a3e988ba926be3a8a17e797ea9972633c1685303f62de65db950e3dd9abd1d492b50749890899066f2d0a16613d747ab2b9eaa233e

memory/1932-40-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1932-37-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1932-36-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1932-35-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1932-34-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1932-33-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1932-32-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1932-41-0x0000000010000000-0x0000000010007000-memory.dmp

memory/1932-31-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1932-30-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1932-29-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1932-28-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1368-46-0x0000000010000000-0x000000001001E000-memory.dmp

memory/1932-27-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1368-47-0x0000000010000000-0x000000001001E000-memory.dmp

memory/1368-51-0x0000023F402F0000-0x0000023F402F1000-memory.dmp

memory/1932-26-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1932-52-0x0000000003060000-0x000000000311E000-memory.dmp

memory/1932-53-0x0000000003160000-0x0000000003429000-memory.dmp

memory/5072-60-0x0000000000750000-0x0000000000751000-memory.dmp

memory/5072-62-0x0000000000750000-0x0000000000751000-memory.dmp

memory/5072-66-0x0000000000750000-0x0000000000751000-memory.dmp

memory/5072-69-0x0000000000750000-0x0000000000751000-memory.dmp

memory/5072-68-0x0000000000750000-0x0000000000751000-memory.dmp

memory/5072-67-0x0000000000750000-0x0000000000751000-memory.dmp

memory/5072-65-0x0000000000750000-0x0000000000751000-memory.dmp

memory/5072-64-0x0000000000750000-0x0000000000751000-memory.dmp

memory/5072-63-0x0000000000750000-0x0000000000751000-memory.dmp

memory/5072-61-0x0000000000750000-0x0000000000751000-memory.dmp

memory/5072-59-0x0000000000750000-0x0000000000751000-memory.dmp

memory/5072-58-0x0000000000750000-0x0000000000751000-memory.dmp

memory/5072-72-0x0000000000421000-0x0000000000422000-memory.dmp

memory/5072-73-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

MD5 45d9ac54157bbb4903346e8dcf82f886
SHA1 29a65225f2531192b23221dff586d197d4599070
SHA256 a7f19ee9e6002b03e402cc42f780468050bc1715d63431e49436ee70a8d153d3
SHA512 b65b46e4cc9bb2818889472dd6106e244d67b0095551d3335e5fffb9ff1fce343a922ca22254508e285ee3612cbbbe929cb92e8ae7452c8904a6cd456529286d