Malware Analysis Report

2025-04-14 08:15

Sample ID 240213-dad51sce3w
Target 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
SHA256 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
Tags
raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503

Threat Level: Known bad

The file 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe was found to be: Known bad.

Malicious Activity Summary

raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer

Raccoon

Raccoon Stealer V2 payload

Detects executables manipulated with Fody

Detects executables manipulated with Fody

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-13 02:48

Signatures

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 02:47

Reported

2024-02-13 03:01

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4792 set thread context of 1208 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4792 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4792 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4216 wrote to memory of 3480 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4216 wrote to memory of 3480 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4792 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4792 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4792 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4792 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4792 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4792 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4792 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4792 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dxo40jgx\dxo40jgx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E92.tmp" "c:\Users\Admin\AppData\Local\Temp\dxo40jgx\CSC827AD4E289194F569F2C23871A044C3.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 194.116.173.154:80 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp

Files

memory/4792-0-0x00000000002C0000-0x0000000000564000-memory.dmp

memory/4792-1-0x00007FF8D22C0000-0x00007FF8D2D81000-memory.dmp

memory/4792-3-0x0000000002620000-0x0000000002630000-memory.dmp

memory/4792-2-0x00000000025C0000-0x000000000261E000-memory.dmp

memory/4792-4-0x000000001B120000-0x000000001B1A4000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\dxo40jgx\dxo40jgx.cmdline

MD5 3749cea32817723789f77386c240c7ff
SHA1 193f5ea5f384ddbda913c83f04522c3a4b965d91
SHA256 8cbe9baf293f0fb30a171ff0e3f7b40fa05f889e3966d74437da4b594c6b4a55
SHA512 e61380ba93988ca7f9b44b0bb92bf4ec4a0b02cd7538b9acee1681570e534b9cc74abd0a8933af2e358b296a471b6f43d7ace0dc925605a3eea4876606135e30

\??\c:\Users\Admin\AppData\Local\Temp\dxo40jgx\dxo40jgx.0.cs

MD5 42cdf76cfeebaa4420881fdb1f349522
SHA1 ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d
SHA256 463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970
SHA512 ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

\??\c:\Users\Admin\AppData\Local\Temp\dxo40jgx\CSC827AD4E289194F569F2C23871A044C3.TMP

MD5 a9f1992a1af43afd447d49ad40e0cbb2
SHA1 39f3b2499a8675155d3d18da06e34852f7e800e2
SHA256 b18bd022490bfc2fc503d35e4b070db172ad8306c67ed74caec24f8ab1cd9bc0
SHA512 01a9ef698c01d059992757a4ebff3c5fcbcb664b9b881d1382433d34c83b151964e830500bd4b41ee2393c6939a900a8163a2134be060ff32d7d7cebb5c60235

C:\Users\Admin\AppData\Local\Temp\RES9E92.tmp

MD5 dcff897c36e1b1b320f3f932f3c8101c
SHA1 abfc35b7c99f201d45067a2a23961abf809ff6ea
SHA256 0a0a5f37cdecbb03c6a3aaf0b99eccd00aa526a30d0d8298e76cce47e31b60b5
SHA512 c5d2a95999285c446beaca8bb8859df78cf83790c24e0675609f85fa58159db613a3853aeadc685c466dc8c9d6ddc60205a49b54d4fefab886f8a03681f69418

C:\Users\Admin\AppData\Local\Temp\dxo40jgx\dxo40jgx.dll

MD5 cdad3ee591ada7d2f0dcea3bbc034a92
SHA1 44c82d1935e7bab07cb23f85216e601aedb6746c
SHA256 f9bf89984a8d6786e67f66c32abd2305daed412dd5f615901b7c55807be71e23
SHA512 1de41291591d61c1dbad047e29bf12bbfe913794e1549d75d23dbd46242a5701fdcf76bde87fbb789a4485c67b7d08aced07c6256045a453e6493eaaf83ff428

memory/4792-17-0x0000000002830000-0x0000000002838000-memory.dmp

memory/1208-19-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4792-23-0x00007FF8D22C0000-0x00007FF8D2D81000-memory.dmp

memory/1208-22-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1208-24-0x0000000000400000-0x0000000000416000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 02:47

Reported

2024-02-13 03:00

Platform

win7-20231215-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

Signatures

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2228 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2228 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2284 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2284 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2284 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2228 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2228 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pcigweks\pcigweks.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15F1.tmp" "c:\Users\Admin\AppData\Local\Temp\pcigweks\CSC431B6639252F4E3A9894CFCACFFA3B6C.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

N/A

Files

memory/2228-0-0x00000000008D0000-0x0000000000B74000-memory.dmp

memory/2228-1-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

memory/2228-2-0x000000001B2D0000-0x000000001B350000-memory.dmp

memory/2228-3-0x0000000000440000-0x000000000049E000-memory.dmp

memory/2228-4-0x0000000002480000-0x0000000002504000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\pcigweks\pcigweks.cmdline

MD5 fa0aa4e3dbdc16d4c18486e14ff06547
SHA1 65567dfd05f192c4539149bf919a0b2a6b99b29c
SHA256 150321ea6f870c475e945cb441033ba8d9777982d63e597123265fe734c685b6
SHA512 7232e75027fa505e0c7245f00393c51db7fe01fcd55b87784ee01a6cd2cf5bce56c56826b687047d6a39be1a7d0aee18fb1856261367a83524993f5ed2ae054f

\??\c:\Users\Admin\AppData\Local\Temp\pcigweks\pcigweks.0.cs

MD5 42cdf76cfeebaa4420881fdb1f349522
SHA1 ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d
SHA256 463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970
SHA512 ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

C:\Users\Admin\AppData\Local\Temp\RES15F1.tmp

MD5 dbfcd75a11d40ab1038ae1dc13b232c7
SHA1 6b7ba71971347d265552315753f07e3850f6c888
SHA256 59c4d4a1c4357a858bba05b1106b2df3c355cffcd23469fad1ebb0a10e6f69fc
SHA512 8e7e8cb1fe0c0b61ce826673836cfddb43de03d5701c4b9a2ac32c6a561576a61a10e0d29ae405c936992f3a8a46245c2bae47bfbd2ba3892785f10a5ca7ac02

memory/2228-17-0x0000000000620000-0x0000000000628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pcigweks\pcigweks.dll

MD5 66807f7919b9d5de605d733d7c1c95d5
SHA1 aa73609acb43cc121b3b4159fdffde09555b543d
SHA256 add5836384ddaf1c621b0b2503657fd674f773ada184341f9c2a1c89ccb5baa9
SHA512 e9d7407c27090b8ac6d7bfc6189614d4be953dcc92df89dcbe3163e5800697e64fb81aae69f909cf99f766b7bf775f5e85515ec095c69cbf2858e1cc1bac1d27

\??\c:\Users\Admin\AppData\Local\Temp\pcigweks\CSC431B6639252F4E3A9894CFCACFFA3B6C.TMP

MD5 97f5afdd7c80001ed2d6b5061a4668bd
SHA1 4fc3711347fee5d78129be487e3301809ec88b7c
SHA256 776c033100e3f1505ea27add7c677d6f7503e16af53f4514e3db1d546f0f0e42
SHA512 0713e14aac81c60256cc07a0a5b5ca6b0f5a5de0e2f2e6d6b057e08a78fd9db729923430a18556b4283740d540c83d5484fde915f7f91fbb93c55980b88a30ce

memory/2228-19-0x000007FEF5760000-0x000007FEF614C000-memory.dmp