Malware Analysis Report

2024-10-23 15:30

Sample ID 240505-d8yx3sha22
Target bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3
SHA256 bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3
Tags
kpot trickbot banker evasion execution stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3

Threat Level: Known bad

The file bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3 was found to be: Known bad.

Malicious Activity Summary

kpot trickbot banker evasion execution stealer trojan

Trickbot x86 loader

KPOT

Trickbot

KPOT Core Executable

Kpot family

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-05 03:41

Signatures

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kpot family

kpot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-05 03:41

Reported

2024-05-05 03:43

Platform

win7-20240221-en

Max time kernel

135s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion execution

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
PID 2272 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
PID 2272 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
PID 2272 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
PID 2768 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2616 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2616 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2616 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2616 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2600 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2600 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2600 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2600 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1048 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
PID 1048 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
PID 1048 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
PID 1048 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
PID 2808 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2808 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2808 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2808 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe

"C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe"

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {4F8410DE-39E3-4753-BD6F-2FB7BE85B216} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/2272-4-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-5-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-3-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-2-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-7-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-8-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-6-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-13-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-14-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-12-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-11-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-10-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-9-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2272-15-0x0000000000330000-0x0000000000359000-memory.dmp

memory/2272-17-0x0000000000421000-0x0000000000422000-memory.dmp

memory/2272-18-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

MD5 c480908dbb73f40acfe629f08a7bdeb5
SHA1 234f593a4c607d5f202a9e6eed8dd46061c880a2
SHA256 bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3
SHA512 d6c9c8ea13df5f60f921521f6c3896848750a6fc915850eb848b242c8ee62ceccbac0addc2828ebf36f22d684562a8f710a739d66586c27d295d6a5e304095dd

memory/2664-34-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2664-35-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2664-33-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2664-32-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2664-31-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2664-30-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2664-37-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2664-36-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2664-38-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2664-41-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2664-40-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2664-39-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2664-45-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2484-49-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2484-48-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2808-71-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2808-70-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2808-69-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2808-68-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2808-67-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2808-66-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2808-65-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2808-64-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2808-63-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2808-62-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2808-61-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2808-60-0x0000000000820000-0x0000000000821000-memory.dmp

memory/1052-87-0x00000000003B0000-0x00000000003B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-05 03:41

Reported

2024-05-05 03:43

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
PID 1976 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
PID 1976 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 1736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 4368 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe

"C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe"

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 24.247.181.155:449 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 24.247.181.155:449 tcp
US 8.8.8.8:53 udp

Files

memory/1976-5-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1976-4-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1976-3-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1976-2-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1976-6-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1976-9-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1976-14-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1976-13-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1976-12-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1976-11-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1976-15-0x0000000002AD0000-0x0000000002AF9000-memory.dmp

memory/1976-10-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1976-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1976-17-0x0000000000421000-0x0000000000422000-memory.dmp

memory/1976-8-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1976-7-0x0000000002250000-0x0000000002251000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

MD5 c480908dbb73f40acfe629f08a7bdeb5
SHA1 234f593a4c607d5f202a9e6eed8dd46061c880a2
SHA256 bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3
SHA512 d6c9c8ea13df5f60f921521f6c3896848750a6fc915850eb848b242c8ee62ceccbac0addc2828ebf36f22d684562a8f710a739d66586c27d295d6a5e304095dd

memory/1736-37-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1736-36-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1736-35-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1736-34-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1736-33-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1736-32-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1736-31-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1736-30-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1736-29-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1736-28-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1736-27-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1736-26-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1736-40-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1736-41-0x0000000010000000-0x0000000010007000-memory.dmp

memory/4600-48-0x0000000010000000-0x000000001001E000-memory.dmp

memory/4600-51-0x0000018085270000-0x0000018085271000-memory.dmp

memory/4600-46-0x0000000010000000-0x000000001001E000-memory.dmp

memory/1736-52-0x0000000003060000-0x000000000311E000-memory.dmp

memory/1736-53-0x0000000003160000-0x0000000003429000-memory.dmp

memory/4368-69-0x0000000001680000-0x0000000001681000-memory.dmp

memory/4368-68-0x0000000001680000-0x0000000001681000-memory.dmp

memory/4368-67-0x0000000001680000-0x0000000001681000-memory.dmp

memory/4368-66-0x0000000001680000-0x0000000001681000-memory.dmp

memory/4368-65-0x0000000001680000-0x0000000001681000-memory.dmp

memory/4368-64-0x0000000001680000-0x0000000001681000-memory.dmp

memory/4368-63-0x0000000001680000-0x0000000001681000-memory.dmp

memory/4368-62-0x0000000001680000-0x0000000001681000-memory.dmp

memory/4368-61-0x0000000001680000-0x0000000001681000-memory.dmp

memory/4368-60-0x0000000001680000-0x0000000001681000-memory.dmp

memory/4368-59-0x0000000001680000-0x0000000001681000-memory.dmp

memory/4368-58-0x0000000001680000-0x0000000001681000-memory.dmp

memory/4368-73-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4368-72-0x0000000000421000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

MD5 1eee9adaab6c27e7e61db969613a03c0
SHA1 db5227767dec5584fc075fe58daa4e23b64707b9
SHA256 53e226fea542441bf2cefb3f7a93b710fc8ff858cb2315c48d838ecda3c54b57
SHA512 adfc8c604334c9190146e4e360e3e845b27c0a23960c886d7979353104d6edd1992e8ad8e8b7ef4f9499d2f4ebda54869ed2470ad8d110f14dbc358dd8c3459e