Malware Analysis Report

2025-04-14 08:15

Sample ID 240213-c6dcxsbh6t
Target 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
SHA256 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
Tags
raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503

Threat Level: Known bad

The file 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe was found to be: Known bad.

Malicious Activity Summary

raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer

Detects executables manipulated with Fody

Raccoon

Raccoon Stealer V2 payload

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Detects executables manipulated with Fody

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-13 02:40

Signatures

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 02:40

Reported

2024-02-13 02:49

Platform

win7-20231215-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

Signatures

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2260 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2260 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2688 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2688 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2688 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2260 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ij3zznl\4ij3zznl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6345.tmp" "c:\Users\Admin\AppData\Local\Temp\4ij3zznl\CSCA2271289AF7E4230A150AF997757D56A.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

N/A

Files

memory/2260-0-0x00000000002D0000-0x0000000000574000-memory.dmp

memory/2260-1-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

memory/2260-2-0x000000001B460000-0x000000001B4E0000-memory.dmp

memory/2260-3-0x0000000002230000-0x000000000228E000-memory.dmp

memory/2260-4-0x000000001B9C0000-0x000000001BA44000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4ij3zznl\4ij3zznl.cmdline

MD5 8a16d6046968499386c052d1a4395ea6
SHA1 6e67365eae772cd29badebfe638afde5eddf5bee
SHA256 501acbe2cf3cdc617678044e7aa7b2fd025896c025a542a7cdd24c493a324850
SHA512 cb8992e8a59b62b7cd8924b497a6e2aea8c1c5759732a5dd4d55c9b720124ee797a7c49b68d855d3f9c37d535e20a6806aac541e853612591c6c059310dfa8be

\??\c:\Users\Admin\AppData\Local\Temp\4ij3zznl\4ij3zznl.0.cs

MD5 42cdf76cfeebaa4420881fdb1f349522
SHA1 ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d
SHA256 463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970
SHA512 ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

\??\c:\Users\Admin\AppData\Local\Temp\4ij3zznl\CSCA2271289AF7E4230A150AF997757D56A.TMP

MD5 8ac004641a015f10bd5900a5458ce427
SHA1 8660a22167a378a3ea38dc4fc4e8f8029928d9ef
SHA256 8706c9bd563d13634e132555b40bc2f11b888130d2dcd0dea9de7694afb84391
SHA512 38bd9e9b39c5534447d0f4abed43602042a9b675910ce52ebcc7bf75c3ee46d499f83a98e39bcc5f611ffbfabb9210da9507e6489e66525b48f4789ab79335f2

C:\Users\Admin\AppData\Local\Temp\RES6345.tmp

MD5 97750ef39d86b29c63fc552e4e0e49b7
SHA1 5775a008002a2e90aa93615c20f554ad62fd1580
SHA256 bef6cef9c250dd76e7c14a3ac992b763537061b7be17333a25c668a1c54d5ae6
SHA512 f3b72fc880a2b921191a80f203ba438af2e25c9dc19ba089005350b7e6f74e6c0500ef22c8d05196a6da36a0aa373330ea9f2d15290f1c870e5ebf1a834e1606

C:\Users\Admin\AppData\Local\Temp\4ij3zznl\4ij3zznl.dll

MD5 59852dce1500279b6a05b397ef236e1c
SHA1 7f0919811b789c2731e5a7c42982b81a9ae324e2
SHA256 fa3712c27fc6008b1fecdb61e1b7660381e562906aa1fee72aa04d0051693f4b
SHA512 5073733e89176dcf633e4453af7d12bbcaebd1ade4242987bd6a445d00fda49244a1e8710abe105072fed3f7d187cd5b50c35496d25173fd9a5f5e3861a87370

memory/2260-17-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2260-19-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 02:40

Reported

2024-02-13 02:49

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2376 set thread context of 1276 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2376 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3944 wrote to memory of 4464 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3944 wrote to memory of 4464 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2376 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2376 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\glr0qhww\glr0qhww.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66F7.tmp" "c:\Users\Admin\AppData\Local\Temp\glr0qhww\CSC46C4CF1CDD544699A0215684784E1EA2.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 194.116.173.154:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/2376-0-0x0000000000A40000-0x0000000000CE4000-memory.dmp

memory/2376-2-0x000000001B830000-0x000000001B88E000-memory.dmp

memory/2376-1-0x00007FFF33D00000-0x00007FFF347C1000-memory.dmp

memory/2376-3-0x000000001BA50000-0x000000001BA60000-memory.dmp

memory/2376-4-0x000000001BB60000-0x000000001BBE4000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\glr0qhww\glr0qhww.cmdline

MD5 2de04cdc041643bf5ad4fe265c4e1f28
SHA1 354c48b623d689ff3bd6510eaa171887d3f72acc
SHA256 6def22660185b0506b6de3707a217e8dd2c9def9d9d4c893fc37e12a4da5d682
SHA512 cafa9e8d553c82e47dd4128e9518fecdf4c0da25a8323bde08c6a70ca44b49a0206e6dc682bfb7e2c1c014c1162f5d6af05a72ae21a871a95917aab5ceb4d231

\??\c:\Users\Admin\AppData\Local\Temp\glr0qhww\glr0qhww.0.cs

MD5 42cdf76cfeebaa4420881fdb1f349522
SHA1 ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d
SHA256 463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970
SHA512 ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

\??\c:\Users\Admin\AppData\Local\Temp\glr0qhww\CSC46C4CF1CDD544699A0215684784E1EA2.TMP

MD5 b8076ff51b2a07cd71104206ba9ddf9d
SHA1 841d6936027d4c16eb2699aa770b746a05d4f14b
SHA256 7bd6d88fdef23bfcacf11c63f3395642612077c52ddad313a6ac915b5c97fe67
SHA512 2d20ae1f809a021915d2bb079c8b6f5c690419a1ce9f4f180f45cd3ba2ec719964ce06328c5060965f72b460ec466f3738b258a5cf57028c56685e4a84d3245f

C:\Users\Admin\AppData\Local\Temp\RES66F7.tmp

MD5 244ce312539ac4fea013856f580767f3
SHA1 63721b17e33b0a9bca7cc3a035b58696adde47e9
SHA256 8fb7f923957987b2f7da4c0116be34862c25cb6750634b3221c1be7a2cdc59ff
SHA512 ea4a648ba83014357ceacfb73a254f07ee14475c4a31c52cfc1f7004a0695b8f5d6616288e589e252ed6024abeca9ee33157830099e664c23aabb3881c3c9ee9

memory/2376-17-0x0000000003040000-0x0000000003048000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\glr0qhww\glr0qhww.dll

MD5 6dc0c4428e0c57d08c33d6c8f009f0a2
SHA1 25efc8f4253fe6578cde9fe18a2f368684294160
SHA256 7b3a05e2d0287340cb2e05df6af5c1e5f90d0e00b6466540b32f5cf77ba45f7c
SHA512 1edf00b892956ce51f4ed170b9729654dd2523a8b72b2009ab559388978e55ce7e1e763f59ef77323ead3bab67ef908eb2e41ee7ee5f859e715d6fa337eb37b7

memory/1276-19-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2376-23-0x00007FFF33D00000-0x00007FFF347C1000-memory.dmp

memory/1276-22-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1276-24-0x0000000000400000-0x0000000000416000-memory.dmp