Malware Analysis Report

2025-04-14 08:03

Sample ID 240213-cyf4vaag4v
Target 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
SHA256 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
Tags
raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503

Threat Level: Known bad

The file 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe was found to be: Known bad.

Malicious Activity Summary

raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer

Raccoon

Raccoon Stealer V2 payload

Detects executables manipulated with Fody

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Detects executables manipulated with Fody

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-13 02:28

Signatures

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 02:28

Reported

2024-02-13 04:10

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

Signatures

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2128 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2128 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1764 wrote to memory of 2564 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1764 wrote to memory of 2564 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1764 wrote to memory of 2564 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2128 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2128 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD88.tmp" "c:\Users\Admin\AppData\Local\Temp\5xty3sek\CSCE216F181C3A04F8EA136818E64882D19.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5xty3sek\5xty3sek.cmdline"

Network

N/A

Files

memory/2128-0-0x00000000001A0000-0x0000000000444000-memory.dmp

memory/2128-1-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/2128-3-0x0000000002170000-0x00000000021CE000-memory.dmp

memory/2128-2-0x000000001B130000-0x000000001B1B0000-memory.dmp

memory/2128-4-0x000000001AE50000-0x000000001AED4000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\5xty3sek\5xty3sek.0.cs

MD5 42cdf76cfeebaa4420881fdb1f349522
SHA1 ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d
SHA256 463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970
SHA512 ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

\??\c:\Users\Admin\AppData\Local\Temp\5xty3sek\5xty3sek.cmdline

MD5 83d22b22932bd0e9101edb657807c36c
SHA1 649ab35539b18a756e34a8802efdbb502d754dcf
SHA256 d3297badc42c1ba8303af3bc9ece898fb1953b04777866b859cdaa576c40ffc2
SHA512 173fdb8609a644cf48f7986bf47bce28b55136c09b3e4fb838a9154f69aded4acecdff7685e25cc580d9728b3aa83128b6b3247e29228dbb242d3e107fb5f231

memory/2128-17-0x0000000000980000-0x0000000000988000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5xty3sek\5xty3sek.dll

MD5 d27a53e5648f965787b0f2fe58d61e51
SHA1 58c6d8181216a55b88c1f79240132c1c7f3b14f0
SHA256 8fea6c99cc711f85579f71a7a7e8c7b383f9e9e6b3de0b5ef15a1f33937dfd77
SHA512 f8e04464b60d20e9d64fbb63b76850423b967d904efb6492ed3a93084734c6f4613aa1f9cf64183558ec4708e0e9bcd588770f6bf78d4491faba824eb23c0ae6

memory/2128-19-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RESD88.tmp

MD5 c73ca38811ab0c6feb46bdc89c740bab
SHA1 f369d4af25770f32c2ac173471b6230a0c9c44c5
SHA256 2f350a2346e043293a782b02e76ea95e83d53227d8ed48acec6892d53f224256
SHA512 28a377072afba0765c77dde6fb007f2d819dc2b4e33819d0deb3458f413dd5dd9881c55ae83a2aef3bef5f4f47cb4e6b952e52b8450fbb87f9a5bbfeff3e1b33

\??\c:\Users\Admin\AppData\Local\Temp\5xty3sek\CSCE216F181C3A04F8EA136818E64882D19.TMP

MD5 a7cc43c2e9a77f6d9faddef219f125a6
SHA1 a034b48f8c3f036b607eb928b69f9b591e703594
SHA256 c79f5777cff6f51b08e4ca2c5d7203051cd7ce758e355d525397afb39a041986
SHA512 c17f29bc5bde4ef50a732c196a5d10021faf4f6d42a262827a588582cf255bffc92f3e5a7d1fd50649bdc5ecd79c3380131e0bbbd9b1fc30f816a6b8edd5b879

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 02:28

Reported

2024-02-13 04:11

Platform

win10v2004-20231215-en

Max time kernel

128s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4652 set thread context of 1236 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4652 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4652 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1900 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1900 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4652 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4652 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4652 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4652 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4652 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4652 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4652 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4652 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4652 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4652 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4652 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3rsktgc1\3rsktgc1.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DA3.tmp" "c:\Users\Admin\AppData\Local\Temp\3rsktgc1\CSC439BA96963DF4939AEEA4518767C89E.TMP"

Network

Country Destination Domain Proto
US 194.116.173.154:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

memory/4652-0-0x0000000000310000-0x00000000005B4000-memory.dmp

memory/4652-1-0x00000000027E0000-0x000000000283E000-memory.dmp

memory/4652-3-0x00000000027D0000-0x00000000027E0000-memory.dmp

memory/4652-2-0x00007FFFD7B70000-0x00007FFFD8631000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\3rsktgc1\3rsktgc1.0.cs

MD5 f5829a84ccc8c97f4e676f27f981b1ff
SHA1 c9e319ddb507f890f5af8f775e720a2120912023
SHA256 6210f210adb7bc763f1f78964fb951fdf622202cd78f0191649a77fa6fd01164
SHA512 afc00afc72433c9e48ef53b94f1879aa77139a5a0885b382d3429338ed6500f040630e3b12e381354a7249556b45f1bf7a25c047335a66a6ea6bdb920880a1b3

\??\c:\Users\Admin\AppData\Local\Temp\3rsktgc1\3rsktgc1.cmdline

MD5 58b933cbee974a3f9d87a712574c44a6
SHA1 f28a99fce78b5a539f53425e7dd2b0ba7ad36519
SHA256 0aae1dae5d130e51e93c3809d46e466c5cbf1360b806ad128ab2115cb489383e
SHA512 f5ff8e9bf9652e40a7469ca99c802c42fbff5ef09b5ea26bc9c838cabf0fe9f76aec424fd4d67dd7aaf38f7394acb65bf011749f3049b513bbc2ca36aad0271d

C:\Users\Admin\AppData\Local\Temp\RES4DA3.tmp

MD5 ec4c59476257fa6514e9018549c458e2
SHA1 2223404647198f350af06ab7fa27564e36b27457
SHA256 4b4d673068de9dacafe7ea8701fcc4e679c82278819a9e9e94ed4b7e50a6ab40
SHA512 f2d05eff443e504575c17d64ca4de40a2bbcce04d7b42cb2bb97033bc87e9291e52d0d4606d412cc38d2c1df22848b7b593da574b5b799c250201358b98158bd

memory/1236-19-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1236-23-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4652-22-0x00007FFFD7B70000-0x00007FFFD8631000-memory.dmp

memory/4652-17-0x000000001B230000-0x000000001B238000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3rsktgc1\3rsktgc1.dll

MD5 e29a72675d458941e509d5cc3850ac6d
SHA1 0ac9bd09865cbc9a3f51e20df7206d75e8740dd2
SHA256 b6f5a5be5ea38824891c285d140aaa70831aa390068bd36292de0ecb0204bcf3
SHA512 84cbfa837d3729ea435a399fcaf442ba3004b839685ff9fb5924872d87f0ab10a3486a7774631dc2ace7d2dee2aa4d2e5d5f7e1b39d638aca97c4d4394be027a

\??\c:\Users\Admin\AppData\Local\Temp\3rsktgc1\CSC439BA96963DF4939AEEA4518767C89E.TMP

MD5 88d1d11517dc901606ca90c423fc8d22
SHA1 1e5dcb0c4da39cf4ae65fc1a014c864da2359477
SHA256 927828b9bf9c5c736fc378b7bd66d2a826135a8e44adeb44327b8114969b027a
SHA512 70d57cf41dbd1539216b4a91bb8f97823426f41b6ffc03906992db8739b882ac214afa92cc571eeaf73a8ffc200417b118b890b2b1924993d04e731017b3f30c

memory/4652-4-0x000000001B5A0000-0x000000001B624000-memory.dmp

memory/1236-24-0x0000000000400000-0x0000000000416000-memory.dmp