Malware Analysis Report

2024-12-07 22:47

Sample ID 240511-gx8vpahg5z
Target CodeBlock-wallet_v1.3.1.zip
SHA256 2705dcc079e3d14aeb87a04b48b495cdd3c0fcfb435f10f04396c78a36ad88a3
Tags
remcos 22077 rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2705dcc079e3d14aeb87a04b48b495cdd3c0fcfb435f10f04396c78a36ad88a3

Threat Level: Known bad

The file CodeBlock-wallet_v1.3.1.zip was found to be: Known bad.

Malicious Activity Summary

remcos 22077 rat

Remcos

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 06:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 06:12

Reported

2024-05-11 06:16

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4940 set thread context of 1660 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 1492 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 1492 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 3700 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 3700 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 3700 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 4972 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 4972 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 4972 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 4940 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1660 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1660 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1660 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1660 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe

"C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"

C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe

C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NO 195.54.170.36:22077 tcp
US 8.8.8.8:53 36.170.54.195.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1492-0-0x0000000000930000-0x0000000000931000-memory.dmp

memory/1492-3-0x0000000000400000-0x0000000000712000-memory.dmp

memory/3700-5-0x0000000000D80000-0x0000000000D81000-memory.dmp

C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

memory/3700-19-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Roaming\relay.dll

MD5 26f5bc7e93d04836018674ea346fcfc7
SHA1 3b7d74663bfc45388c403d2b4e242df5ee18e8f0
SHA256 2da4a73ab27ca87449151f119852b16280c64c8f7f4a1f3170a27875ae577163
SHA512 7e59b552b3c4b1b5278ad65f2da91bae9e1e429863b8f629ee8522ef330fe0973bb5c52bc69c4cb0b2af92274c2630246403debc9596f211921ed91ba736d7b9

C:\Users\Admin\AppData\Roaming\nighttime.xlsx

MD5 6c6f6a14e9d0a4a4cccf42c556fbd674
SHA1 171078d45ebc27f5a8e448dc451d4f94947d82e5
SHA256 3b5e6c71c2ffbfb6e2db0338d44df9c403aca7778f487543cc6a1cb07a9a21e3
SHA512 8757f66f912ffb888229dbf9d21243dc14888bf21c401818e467d5d12865c7430c48fa0a9c5e6b96db3305f8413f2fe1200dcd9e9325839758a8c6ecac09477e

C:\Users\Admin\AppData\Roaming\bigmouth.ai

MD5 2006f33bd138198426dd0029bfb59d78
SHA1 b6331330a0ac4eec341c1c9eeb6f2f8cd202d1e4
SHA256 33a2f64783b7ccd9f66145d9d7288bff62a4a89b5ee3c82f7f5fe8d1bf68581f
SHA512 9fd5b2280c80b953fa74a5e5a8278b85b229daca0dfce988d8dafa14bc6db8906811da3b4628f27336886de8495822a173c36a72cfd9b8a90fbd8327fed5b649

memory/4972-25-0x0000000074CE0000-0x0000000074E5B000-memory.dmp

memory/4972-26-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/4940-40-0x0000000074CE0000-0x0000000074E5B000-memory.dmp

memory/4940-41-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

memory/4940-42-0x0000000074CE0000-0x0000000074E5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abae9306

MD5 18ee4eb96555309de1727cc77c18d23b
SHA1 1bd242b5e280773433cbb83335daf011ff885157
SHA256 cce0f25e2fc6c8a1aa67dab0256d0bc6017a7ccd365c2b87ce50be8cfd2c39fa
SHA512 e6f1bac50672a9d3c967d07bbde500431e5796db7d5def772927666b1656c99071a8569908353c327e9bdf1e126481319edebab5322452d50214e8075e366fde

memory/1660-45-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

memory/1660-47-0x0000000074CE0000-0x0000000074E5B000-memory.dmp

memory/1212-49-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

memory/1212-50-0x0000000000540000-0x00000000005C3000-memory.dmp

memory/1212-53-0x0000000000540000-0x00000000005C3000-memory.dmp

memory/1212-54-0x0000000000540000-0x00000000005C3000-memory.dmp

memory/1212-55-0x0000000000540000-0x00000000005C3000-memory.dmp

memory/1212-56-0x0000000000540000-0x00000000005C3000-memory.dmp

memory/1212-57-0x0000000000540000-0x00000000005C3000-memory.dmp

memory/1212-60-0x0000000000540000-0x00000000005C3000-memory.dmp

memory/1212-61-0x0000000000540000-0x00000000005C3000-memory.dmp

memory/1212-62-0x0000000000540000-0x00000000005C3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 06:12

Reported

2024-05-11 06:16

Platform

win7-20240508-en

Max time kernel

149s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2604 set thread context of 1700 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 1680 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 1680 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 1680 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 1680 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 1680 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 1680 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2552 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2552 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2552 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2552 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2552 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2552 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2552 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2604 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1700 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1700 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1700 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1700 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1700 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe

"C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"

C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe

C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
NO 195.54.170.36:22077 tcp

Files

memory/1680-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1680-3-0x0000000000400000-0x0000000000712000-memory.dmp

\Users\Admin\AppData\Roaming\UniversalInstaller.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

memory/2552-20-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Roaming\relay.dll

MD5 26f5bc7e93d04836018674ea346fcfc7
SHA1 3b7d74663bfc45388c403d2b4e242df5ee18e8f0
SHA256 2da4a73ab27ca87449151f119852b16280c64c8f7f4a1f3170a27875ae577163
SHA512 7e59b552b3c4b1b5278ad65f2da91bae9e1e429863b8f629ee8522ef330fe0973bb5c52bc69c4cb0b2af92274c2630246403debc9596f211921ed91ba736d7b9

C:\Users\Admin\AppData\Roaming\nighttime.xlsx

MD5 6c6f6a14e9d0a4a4cccf42c556fbd674
SHA1 171078d45ebc27f5a8e448dc451d4f94947d82e5
SHA256 3b5e6c71c2ffbfb6e2db0338d44df9c403aca7778f487543cc6a1cb07a9a21e3
SHA512 8757f66f912ffb888229dbf9d21243dc14888bf21c401818e467d5d12865c7430c48fa0a9c5e6b96db3305f8413f2fe1200dcd9e9325839758a8c6ecac09477e

C:\Users\Admin\AppData\Roaming\bigmouth.ai

MD5 2006f33bd138198426dd0029bfb59d78
SHA1 b6331330a0ac4eec341c1c9eeb6f2f8cd202d1e4
SHA256 33a2f64783b7ccd9f66145d9d7288bff62a4a89b5ee3c82f7f5fe8d1bf68581f
SHA512 9fd5b2280c80b953fa74a5e5a8278b85b229daca0dfce988d8dafa14bc6db8906811da3b4628f27336886de8495822a173c36a72cfd9b8a90fbd8327fed5b649

memory/2268-26-0x0000000074B60000-0x0000000074CD4000-memory.dmp

memory/2268-27-0x0000000077B30000-0x0000000077CD9000-memory.dmp

C:\Users\Admin\AppData\Roaming\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/2604-43-0x0000000074CD0000-0x0000000074E44000-memory.dmp

memory/2604-44-0x0000000077B30000-0x0000000077CD9000-memory.dmp

memory/2604-45-0x0000000074CD0000-0x0000000074E44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b5576dfa

MD5 a21eed1a7725c570da8506f446ded408
SHA1 741cb6055a82fcb2d2a1bd00d3499c087a7a8bfa
SHA256 01c311d482fb65be7a9edf5730b234932554c112cf48d7f425845dcc42929d0e
SHA512 e9b3cedb0695cbb78cd413525b4e79cad3168918242f1c6294c1a57be9048e5c0da1897e10010a4979814d70f3a6a3100e6d20a3f4058747d7f176fef264f82a

memory/1700-48-0x0000000077B30000-0x0000000077CD9000-memory.dmp

memory/1700-94-0x0000000074CD0000-0x0000000074E44000-memory.dmp

memory/316-96-0x0000000077B30000-0x0000000077CD9000-memory.dmp

memory/316-97-0x0000000000080000-0x0000000000103000-memory.dmp

memory/316-101-0x0000000000080000-0x0000000000103000-memory.dmp

memory/316-102-0x0000000000080000-0x0000000000103000-memory.dmp

memory/316-103-0x0000000000080000-0x0000000000103000-memory.dmp

memory/316-104-0x0000000000080000-0x0000000000103000-memory.dmp

memory/316-105-0x0000000000080000-0x0000000000103000-memory.dmp

memory/316-106-0x0000000000080000-0x0000000000103000-memory.dmp

memory/316-107-0x0000000000080000-0x0000000000103000-memory.dmp

memory/316-108-0x0000000000080000-0x0000000000103000-memory.dmp

memory/316-109-0x0000000000080000-0x0000000000103000-memory.dmp

memory/316-110-0x0000000000080000-0x0000000000103000-memory.dmp

memory/316-111-0x0000000000080000-0x0000000000103000-memory.dmp