Malware Analysis Report

2025-04-14 08:03

Sample ID 240213-c2bzascf28
Target 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
SHA256 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
Tags
raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503

Threat Level: Known bad

The file 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe was found to be: Known bad.

Malicious Activity Summary

raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer

Raccoon

Raccoon Stealer V2 payload

Detects executables manipulated with Fody

Detects executables manipulated with Fody

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-13 02:33

Signatures

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 02:33

Reported

2024-02-13 03:57

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2848 set thread context of 3008 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2848 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2660 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2848 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2848 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2848 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2848 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2848 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2848 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2848 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2848 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2848 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2848 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2848 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iol1cf30\iol1cf30.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D7B.tmp" "c:\Users\Admin\AppData\Local\Temp\iol1cf30\CSCDB1A2D7E64084BB28BCBCA1F10D5BF7A.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 194.116.173.154:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
GB 96.16.110.41:443 tcp
SE 192.229.221.95:80 tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/2848-0-0x0000000000E40000-0x00000000010E4000-memory.dmp

memory/2848-1-0x0000000003140000-0x000000000319E000-memory.dmp

memory/2848-2-0x00007FFCAF740000-0x00007FFCB0201000-memory.dmp

memory/2848-3-0x000000001BEF0000-0x000000001BF00000-memory.dmp

memory/2848-4-0x000000001BE40000-0x000000001BEC4000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\iol1cf30\iol1cf30.cmdline

MD5 1d205cf001650176d9568ace91762891
SHA1 b47e0114dfe0672f5683b24ee7e51f772ed2faac
SHA256 3231da1303aabdf7cfeb7c072404b0473edd108a097bdb65487e9e9da23ceca3
SHA512 10ef5ebef4771c4c4d8a7b765068e0f80476083903aa643015d9ab946ec97d0d23f356fd3912862b421f5b83353462202a02af6ad638dab76ad4282161a55859

\??\c:\Users\Admin\AppData\Local\Temp\iol1cf30\iol1cf30.0.cs

MD5 42cdf76cfeebaa4420881fdb1f349522
SHA1 ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d
SHA256 463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970
SHA512 ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

\??\c:\Users\Admin\AppData\Local\Temp\iol1cf30\CSCDB1A2D7E64084BB28BCBCA1F10D5BF7A.TMP

MD5 537fad25b7280af484bc9829ea6114bc
SHA1 6f45a4ebead6a84f8fd424210265f5d2bf68e90c
SHA256 00aa57e9af1a0699c26db80ed16cbf98f64f3ca9b4f2ca5a963b11fca51e99cb
SHA512 e02c27c1ed4cedd3382d00028dec1d072b4aa4a92fd7943aa2a0352358d73f360f8578f49e30da5ce173946fccbdfba372a5248113142ce8ec4ff48aa5e7b79a

C:\Users\Admin\AppData\Local\Temp\RES8D7B.tmp

MD5 d872a60dcd82d2a3257c53d6fbb14c05
SHA1 e97d41cb26cb717af8de277b3c75fa02e1aba651
SHA256 17e65943c0bda0d75f7dff4398555bfa7c07bc8064effa74deea39df298256e0
SHA512 8357be471aaf219d656c85e7b7a60d776cd9f43a23302e16ba036e281f595e08721d08880543a62e2e9b242710c64894b0553482ae2252a4947f8e8933ac45a3

C:\Users\Admin\AppData\Local\Temp\iol1cf30\iol1cf30.dll

MD5 9c5ec8e0f2cbc47f636f707887738d22
SHA1 5ab5ad387c6ffe9030c5451752e51c9b9f12ea3a
SHA256 978ffd1b4ab136ac1f2cb86ff1f7bb8f5ede202df6aa5d17d8f10b7621c1fb3d
SHA512 9b89ae72df967dd09a8971d19856f47d74a739fb9f7bffe4eec1577779e10da441c78c01adfe1b2ee0f0522328ba0c92fbb925c8f7dfa9700d11fc9e5656c961

memory/2848-17-0x000000001BCA0000-0x000000001BCA8000-memory.dmp

memory/3008-19-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3008-22-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2848-23-0x00007FFCAF740000-0x00007FFCB0201000-memory.dmp

memory/3008-24-0x0000000000400000-0x0000000000416000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 02:33

Reported

2024-02-13 03:55

Platform

win7-20231215-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

Signatures

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1244 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1244 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2900 wrote to memory of 2084 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2900 wrote to memory of 2084 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2900 wrote to memory of 2084 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1244 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1244 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kgsz21u4\kgsz21u4.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1333.tmp" "c:\Users\Admin\AppData\Local\Temp\kgsz21u4\CSC3EB15317E5594A36B197F6C36E7307E.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

N/A

Files

memory/1244-0-0x00000000012D0000-0x0000000001574000-memory.dmp

memory/1244-1-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/1244-2-0x000000001B450000-0x000000001B4D0000-memory.dmp

memory/1244-3-0x0000000000570000-0x00000000005CE000-memory.dmp

memory/1244-4-0x000000001ABC0000-0x000000001AC44000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\kgsz21u4\kgsz21u4.cmdline

MD5 76d2d0c1d43465ec2deeb7275e6aeed6
SHA1 f4385d4c74f873e4de8ab1f3e4d8f14c72025d71
SHA256 3d878c445bbb80576439b1e18fc554090e43fd3d3a39119d69a2df436f4da269
SHA512 0e086f5051b661de71cb43f7f82cc53d90ff3e2ac7d5c65aa5f4e88b42ff200afcdeb0b9d0759d1982adaa7bd13401a2e0bcb7f5af54bc9ba719f79478022873

\??\c:\Users\Admin\AppData\Local\Temp\kgsz21u4\kgsz21u4.0.cs

MD5 42cdf76cfeebaa4420881fdb1f349522
SHA1 ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d
SHA256 463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970
SHA512 ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

\??\c:\Users\Admin\AppData\Local\Temp\kgsz21u4\CSC3EB15317E5594A36B197F6C36E7307E.TMP

MD5 023e68e021894446c1b141d6ef7dd494
SHA1 bbf5fe21f978f38febd9d4f57e8c7627b1ce9e5c
SHA256 2692f8f4c117aeeab25cb1b5659b633334f08197c0f9b01ce6257b6374f8b834
SHA512 bdee5898d01671eec999c0c6a08b3566896d9ea766237b72261209129b1ffda3740714a74a66dd86437cea820146d8e725b614bdfb6c32fdefeb8492ac948d8d

C:\Users\Admin\AppData\Local\Temp\RES1333.tmp

MD5 b060a694e492638fe51d8bdfccafa6eb
SHA1 4f1021da69efaba85f38c7aabe9db02d94e84932
SHA256 1b4555b256437a14684be1e442fa4b99d0b8557118a46917942dea79a17e66fd
SHA512 ba868e41395c05cad50d643cfa4616998131bc8b8da382356ce14a52e32380298b66cb84861e4346b32efd9133e7ef553640b54e781fd573e80f832cd57a5c31

memory/1244-17-0x0000000000B80000-0x0000000000B88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kgsz21u4\kgsz21u4.dll

MD5 f850ce531ead94832f70fb2438575dd6
SHA1 8286886d957493ca6611a930a3f344722b09ef7c
SHA256 e1378dc86ea642214082cc4e1a276fb96ae55f48e3db87d9a08e8a938f24579c
SHA512 b03872aec4837963dc2a3c408b63d438161228d23e231af87259b54dda9524b9baedf11938a57c789a95ffb1cfa2a1a98ce1510f9405f24492d118ef2c4e08a9

memory/1244-19-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp