Malware Analysis Report

2025-04-14 08:15

Sample ID 240213-dakmssdg89
Target 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
SHA256 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
Tags
raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503

Threat Level: Known bad

The file 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe was found to be: Known bad.

Malicious Activity Summary

raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer

Raccoon Stealer V2 payload

Detects executables manipulated with Fody

Raccoon

Detects executables manipulated with Fody

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-13 02:48

Signatures

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 02:48

Reported

2024-02-13 02:57

Platform

win7-20231129-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

Signatures

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2344 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2344 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1692 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1692 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1692 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2344 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2344 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qw2tvdm4\qw2tvdm4.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81C.tmp" "c:\Users\Admin\AppData\Local\Temp\qw2tvdm4\CSCB7EDE0B0BAB04E9299984F97F0FF55FD.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

N/A

Files

memory/2344-0-0x0000000000990000-0x0000000000C34000-memory.dmp

memory/2344-1-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2344-2-0x000000001B0C0000-0x000000001B140000-memory.dmp

memory/2344-3-0x000000001A9C0000-0x000000001AA1E000-memory.dmp

memory/2344-4-0x000000001AED0000-0x000000001AF54000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\qw2tvdm4\qw2tvdm4.cmdline

MD5 ec3cf1e9a8fe9f2f92d47f396218ef58
SHA1 8d2c758130d86d47a9b8168728b5b825f0ec83c1
SHA256 bf8ef7b980d1e87f266bab78543383b8cc4da3e833d093c83175282a93883481
SHA512 af6316a880c5cf43ecb40f8178fa5c8605263bf8c493010874cb249a0738bda141b492ed343214d94a7d4173ade32964e2455dcc8be6550cca57f80bad9623c6

\??\c:\Users\Admin\AppData\Local\Temp\qw2tvdm4\qw2tvdm4.0.cs

MD5 42cdf76cfeebaa4420881fdb1f349522
SHA1 ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d
SHA256 463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970
SHA512 ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

C:\Users\Admin\AppData\Local\Temp\RES81C.tmp

MD5 ac20cabd4abc8ff09182c5263841a6f7
SHA1 817ad37eb52a6ebf490b3923e763f18f3245383b
SHA256 c72d805d7ecce071ce092563abb9dbae8c01f6a486f870f373196677e8fd56ad
SHA512 c4b0faccc51bf2152101a880f409d356f995e46462fbb7d4cc97dc85b814f0593fb47a1f275443d18bcba4ef873795f80c2b18a6c115354376f6ce5ef18103b5

memory/2344-17-0x0000000000980000-0x0000000000988000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qw2tvdm4\qw2tvdm4.dll

MD5 b7534140e53a6c6a21c46773b4ec45e3
SHA1 42a172072b9d234d49a820341800797adedd4c82
SHA256 a7171d782c698ab7574d9b0e44d30b302b226519781a959974416b7ecd69834b
SHA512 3018a7681142e17b2055eb34428a7e3f656635be7f904439ec6ac6f7ff672e86ca0a70dffe03ca9bf02a60893f67a5df6680d6f80d6e8782d31ae74d3c62e439

memory/2344-19-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\qw2tvdm4\CSCB7EDE0B0BAB04E9299984F97F0FF55FD.TMP

MD5 7fdc8074f4ab2cf6fdf35c0cab7be1b9
SHA1 3bd4f2f61728802b66ab90869da8b3669a57ec2c
SHA256 388014edcea75487568aae94c00f74bfcafcd98097a224ff59cb3b81d1b64829
SHA512 b3b8305fc19ffcdd9a0fe101f61bc6d08ac51eaabaee6b09ed5c1de335b6b1ac8e4361cef31d78fec7e2cd2879a2eeb488f61a8f5d6b6922f7d1ac137ff3671a

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 02:48

Reported

2024-02-13 02:57

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2028 set thread context of 3312 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2028 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 644 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 644 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2028 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2028 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2028 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2028 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2028 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2028 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2028 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2028 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mglufw3b\mglufw3b.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47E6.tmp" "c:\Users\Admin\AppData\Local\Temp\mglufw3b\CSCCF73120EC98A4E4AB1315F58680666.TMP"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 194.116.173.154:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

memory/2028-0-0x0000000000FA0000-0x0000000001244000-memory.dmp

memory/2028-2-0x00007FFDE0320000-0x00007FFDE0DE1000-memory.dmp

memory/2028-3-0x000000001BE70000-0x000000001BE80000-memory.dmp

memory/2028-1-0x00000000032F0000-0x000000000334E000-memory.dmp

memory/2028-4-0x000000001BDE0000-0x000000001BE64000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\mglufw3b\mglufw3b.cmdline

MD5 515a332bb4ab51bc64c875322709f7bb
SHA1 3441c7aa876e5219f8df0b77f7cd7f08f61b9c07
SHA256 c02ed5608ff821d535dedb15299c84cc5add17827e13124842e7b270cef0f2bc
SHA512 be11f8863c8820bd2c0b35a778ea9a65dc64133163741965885eb5deb4a1fcb76ba8cf3a4d2ff09948c2a72f5ea979ba84b96e3059549d1a623049e1c9249fef

\??\c:\Users\Admin\AppData\Local\Temp\mglufw3b\mglufw3b.0.cs

MD5 42cdf76cfeebaa4420881fdb1f349522
SHA1 ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d
SHA256 463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970
SHA512 ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

\??\c:\Users\Admin\AppData\Local\Temp\mglufw3b\CSCCF73120EC98A4E4AB1315F58680666.TMP

MD5 71dacd921b60da413e7fbe08f8950a4b
SHA1 6e98cb4fd96faae6f5d6c16f3f1814c45a7d2889
SHA256 75b30333035019b384baa48be62ec2f234c811388afdbf58249123b8ff1adbf2
SHA512 39ad45d265e43c5e46d86f4b2bca28972c091df08cef9f4028743d9ca7a34ede87f1210f4dfb4fcd24ba2fb06d054d67639bd83dc4fe61c34f6e2ba8c2271e7e

memory/2028-17-0x000000001BE60000-0x000000001BE68000-memory.dmp

memory/3312-19-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2028-22-0x00007FFDE0320000-0x00007FFDE0DE1000-memory.dmp

memory/3312-23-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mglufw3b\mglufw3b.dll

MD5 1b2dc62dfdea78bc9c539a4f46036762
SHA1 203843039a7cdc81e192fd5377281ffe25411ff8
SHA256 1226d2151b6231ac6fed0162adcd8c3f0f7a6fe8dea2e847f7ed36538b09c4e8
SHA512 9a249ece2f5bfffe18f07f439f59c45c393913d4a0810aabe642bd756304d6198b4f23dd6c12d1ef149ea2c30c3d9dc126d4c6f1765fa8b7c8176c678916ad09

C:\Users\Admin\AppData\Local\Temp\RES47E6.tmp

MD5 f6ab55df4ba5941f29ccfa7f3d0b3fdc
SHA1 af63600594da52e5cf3c7631cb9beb21c22ab08a
SHA256 6938dbc1a70cc6027ec21d054244b20e43e3cdb194e5e9768bc8d9fe9853cc72
SHA512 3f704dbc0955c2c0e25656a3c814e64a7551efbcf8f43eceb9d2f25c5910700553982aacb7a85e69e1008599d0076c5b2f759f0c06d2f20b8a13eb2eb1745331

memory/3312-24-0x0000000000400000-0x0000000000416000-memory.dmp