Malware Analysis Report

2024-10-23 15:30

Sample ID 240505-zxcfladh7z
Target 42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2
SHA256 42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2
Tags
kpot trickbot banker evasion execution stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2

Threat Level: Known bad

The file 42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2 was found to be: Known bad.

Malicious Activity Summary

kpot trickbot banker evasion execution stealer trojan

KPOT

Trickbot

KPOT Core Executable

Kpot family

Trickbot x86 loader

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-05 21:05

Signatures

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kpot family

kpot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-05 21:05

Reported

2024-05-05 21:08

Platform

win7-20240215-en

Max time kernel

135s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion execution

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe
PID 2876 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe
PID 2876 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe
PID 2876 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe
PID 2616 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2616 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2616 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2616 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2612 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2612 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2612 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2612 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2668 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2104 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 860 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe
PID 860 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe
PID 860 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe
PID 860 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe
PID 2024 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2024 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2024 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 2024 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe

"C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe"

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {98E901B8-9F5B-4635-B7DC-98A4FC003D9F} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/2876-2-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-6-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-5-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-4-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-3-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-7-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-10-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-12-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-11-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-9-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-8-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-13-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-14-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2876-15-0x00000000003A0000-0x00000000003C9000-memory.dmp

memory/2876-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2876-17-0x0000000000421000-0x0000000000422000-memory.dmp

\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

MD5 2f99d51a67ac96a6132b73e558c036ff
SHA1 3228f440838a43bf7863d99438d9c288dd3ee8a6
SHA256 42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2
SHA512 f80971069f357a691a639b675b399ac2bc80e62a85aec188168232dc9c84ffcd76f52cd173c5e039994d587fdd62ec3848782746999c3d8eece21f323f823fc2

memory/2104-41-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2104-40-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2104-39-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2104-45-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2104-44-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2104-38-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2104-37-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2484-50-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2484-49-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2104-36-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2104-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2104-34-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2104-33-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2104-32-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2104-31-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2104-30-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2024-65-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2024-66-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2024-64-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2024-63-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2024-62-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2024-61-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2024-67-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2024-68-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2024-72-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2024-71-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2024-70-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2024-69-0x00000000003D0000-0x00000000003D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-05 21:05

Reported

2024-05-05 21:07

Platform

win10v2004-20240419-en

Max time kernel

135s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe
PID 1648 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe
PID 1648 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4356 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 4316 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 696 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 696 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 696 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 696 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 696 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 696 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 696 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 696 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe
PID 696 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe

"C:\Users\Admin\AppData\Local\Temp\42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2.exe"

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BR 170.79.176.242:449 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BR 170.79.176.242:449 tcp
US 8.8.8.8:53 25.43.201.23.in-addr.arpa udp

Files

memory/1648-3-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-14-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-13-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-12-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-11-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-10-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-9-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-8-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-7-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-6-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-5-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-4-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-2-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1648-15-0x0000000002270000-0x0000000002299000-memory.dmp

memory/1648-17-0x0000000000421000-0x0000000000422000-memory.dmp

memory/1648-18-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\42866e0fbbf9c47c92c1888d4079e32ffa37c3c4b6f7e3690094297f9996f9f2.exe

MD5 2f99d51a67ac96a6132b73e558c036ff
SHA1 3228f440838a43bf7863d99438d9c288dd3ee8a6
SHA256 42755e0fbbf9c46c82c1777d4068e32ffa36c3c4b5f6e3580094286f8985f9f2
SHA512 f80971069f357a691a639b675b399ac2bc80e62a85aec188168232dc9c84ffcd76f52cd173c5e039994d587fdd62ec3848782746999c3d8eece21f323f823fc2

memory/4356-37-0x0000000002920000-0x0000000002921000-memory.dmp

memory/4356-36-0x0000000002920000-0x0000000002921000-memory.dmp

memory/4356-35-0x0000000002920000-0x0000000002921000-memory.dmp

memory/4356-34-0x0000000002920000-0x0000000002921000-memory.dmp

memory/4356-33-0x0000000002920000-0x0000000002921000-memory.dmp

memory/4356-40-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4356-32-0x0000000002920000-0x0000000002921000-memory.dmp

memory/4356-41-0x0000000010000000-0x0000000010007000-memory.dmp

memory/3268-46-0x0000000010000000-0x000000001001E000-memory.dmp

memory/4356-31-0x0000000002920000-0x0000000002921000-memory.dmp

memory/3268-52-0x000002E2559B0000-0x000002E2559B1000-memory.dmp

memory/4356-30-0x0000000002920000-0x0000000002921000-memory.dmp

memory/4356-51-0x0000000003060000-0x000000000311E000-memory.dmp

memory/4356-29-0x0000000002920000-0x0000000002921000-memory.dmp

memory/4356-28-0x0000000002920000-0x0000000002921000-memory.dmp

memory/4356-27-0x0000000002920000-0x0000000002921000-memory.dmp

memory/4356-26-0x0000000002920000-0x0000000002921000-memory.dmp

memory/4356-53-0x0000000003160000-0x0000000003429000-memory.dmp

memory/4316-69-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4316-68-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4316-67-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4316-66-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4316-65-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4316-64-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4316-63-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4316-62-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4316-61-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4316-60-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4316-59-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4316-58-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4316-73-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4316-72-0x0000000000421000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

MD5 5dd2378e95ef199bc0eb41b2b67ce926
SHA1 fc54d68a78a0bcdc2a995c8e6c731d14224458be
SHA256 ecf3331ebb0448a78f5c3389e593d1b9d2bb6e0e840ca688fa5f8331cbb2ecff
SHA512 ed535049b135f224a76155bfc4b19f17b1e03c51361635ae2d44a304061cb18876a6d8190bfb935c40ad76d7e1b9aa396b530874b614353ab4e822a124c8036b