Malware Analysis Report

2024-10-19 01:05

Sample ID 240508-kearqabe9x
Target 2bc2d4e2cf1706542b76460e36d968b0_NEIKI
SHA256 fb5a0ecb62aa6fbf3ee2a2044860b7c30dc00654dd75da35e48c19de35313a76
Tags
kpot trickbot banker evasion execution stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb5a0ecb62aa6fbf3ee2a2044860b7c30dc00654dd75da35e48c19de35313a76

Threat Level: Known bad

The file 2bc2d4e2cf1706542b76460e36d968b0_NEIKI was found to be: Known bad.

Malicious Activity Summary

kpot trickbot banker evasion execution stealer trojan

KPOT Core Executable

KPOT

Kpot family

Trickbot

Trickbot x86 loader

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 08:30

Signatures

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kpot family

kpot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 08:30

Reported

2024-05-08 08:32

Platform

win7-20240419-en

Max time kernel

135s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion execution

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe
PID 2176 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe
PID 2176 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe
PID 2176 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe
PID 1680 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1680 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2108 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2108 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2108 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2108 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2852 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2852 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2852 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2852 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe"

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\system32\taskeng.exe

taskeng.exe {C3BEEBB7-2AAA-4CA7-8B09-7B7201A3A47B} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/2176-2-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-3-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-8-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-10-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-9-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-7-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-6-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-5-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-13-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-12-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-11-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-4-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-14-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2176-15-0x0000000000610000-0x0000000000639000-memory.dmp

memory/2176-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2176-17-0x0000000000421000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

MD5 2bc2d4e2cf1706542b76460e36d968b0
SHA1 ecd2a5f2fc75165918dd3d6d4783e3dbeaae3da9
SHA256 fb5a0ecb62aa6fbf3ee2a2044860b7c30dc00654dd75da35e48c19de35313a76
SHA512 d90ad63051f8b2cd43362056d598a7d38795c5d67be4542808cb0413a52abd6a9f60920cc8839543021fe5a31437bd3f3d57ba2e960a846ce686582cc1993fb3

memory/1680-41-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1680-44-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2676-51-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2676-55-0x0000000000060000-0x0000000000061000-memory.dmp

memory/1680-46-0x0000000010000000-0x0000000010007000-memory.dmp

memory/1680-45-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2676-50-0x0000000010000000-0x000000001001E000-memory.dmp

memory/1680-40-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1680-39-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1680-38-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1680-37-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1680-36-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1680-35-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1680-34-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1680-33-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1680-32-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1680-31-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1680-30-0x00000000003F0000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 2581f4a00d0a6675dbee3ecd116e9c26
SHA1 582011e39a98013c7816a89cb1923b47713fdfce
SHA256 8c77b99cf88e59675bb42795abfd901dec79acea2dbeba50a1113d99c8719b69
SHA512 0d752a4653f5f0592b275b955fe6922f16167bddce20b1383f659c3428c165c107cd639b68a03830b2da0359c1d0ce2ea1260f8416e9c02babd189de03c4802e

memory/2172-69-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2172-68-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2172-70-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2172-71-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2172-72-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2172-73-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2172-74-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2172-75-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2172-76-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2172-77-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2172-78-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2172-79-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1992-95-0x00000000001F0000-0x00000000001F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 08:30

Reported

2024-05-08 08:32

Platform

win10v2004-20240419-en

Max time kernel

136s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe
PID 4400 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe
PID 4400 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4436 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2872 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 3928 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 3928 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 3928 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 3928 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 3928 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 3928 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 3928 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 3928 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 3928 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe"

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
TH 110.164.69.92:449 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
TH 110.164.69.92:449 tcp

Files

memory/4400-6-0x0000000002140000-0x0000000002141000-memory.dmp

memory/4400-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4400-17-0x0000000000421000-0x0000000000422000-memory.dmp

memory/4400-15-0x0000000002170000-0x0000000002199000-memory.dmp

memory/4400-14-0x0000000002140000-0x0000000002141000-memory.dmp

memory/4400-13-0x0000000002140000-0x0000000002141000-memory.dmp

memory/4400-12-0x0000000002140000-0x0000000002141000-memory.dmp

memory/4400-11-0x0000000002140000-0x0000000002141000-memory.dmp

memory/4400-10-0x0000000002140000-0x0000000002141000-memory.dmp

memory/4400-9-0x0000000002140000-0x0000000002141000-memory.dmp

memory/4400-7-0x0000000002140000-0x0000000002141000-memory.dmp

memory/4400-8-0x0000000002140000-0x0000000002141000-memory.dmp

memory/4400-5-0x0000000002140000-0x0000000002141000-memory.dmp

memory/4400-4-0x0000000002140000-0x0000000002141000-memory.dmp

memory/4400-3-0x0000000002140000-0x0000000002141000-memory.dmp

memory/4400-2-0x0000000002140000-0x0000000002141000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe

MD5 2bc2d4e2cf1706542b76460e36d968b0
SHA1 ecd2a5f2fc75165918dd3d6d4783e3dbeaae3da9
SHA256 fb5a0ecb62aa6fbf3ee2a2044860b7c30dc00654dd75da35e48c19de35313a76
SHA512 d90ad63051f8b2cd43362056d598a7d38795c5d67be4542808cb0413a52abd6a9f60920cc8839543021fe5a31437bd3f3d57ba2e960a846ce686582cc1993fb3

memory/4436-37-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4436-36-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4436-35-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4436-34-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4436-33-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4436-32-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4436-31-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4436-30-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4436-40-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4436-29-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4436-28-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4436-27-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4436-41-0x0000000010000000-0x0000000010007000-memory.dmp

memory/4436-26-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4260-46-0x0000000010000000-0x000000001001E000-memory.dmp

memory/4260-51-0x000002701FE70000-0x000002701FE71000-memory.dmp

memory/4436-52-0x0000000003100000-0x00000000031BE000-memory.dmp

memory/4436-53-0x00000000031C0000-0x0000000003489000-memory.dmp

memory/2872-69-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2872-68-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2872-67-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2872-66-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2872-65-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2872-64-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2872-63-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2872-62-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2872-61-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2872-60-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2872-59-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2872-58-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2872-73-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2872-72-0x0000000000421000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

MD5 ae2a904d34d66b6fc5703398f8c5ec3f
SHA1 6628c0e30f252d09a0e815c04992a05a9d468931
SHA256 cac8d7facd329970422f9bdcfab213da626bfba706998794cb4c3171d98c1fae
SHA512 f261519ac3a278c4c8082b8040b6961df2485a7f0d697cb2064a87b8962731236c00a706d9f6c10424e0932e37bb847bcd3019cda6ed903ff0ac01dc48b50668