Malware Analysis Report

2024-12-07 21:20

Sample ID 240206-yfp5paefd4
Target VirusShare_dc5362b9b39cf550b34c1272fe15b355
SHA256 48cfbdeb4600dfd22582198b12d32538385f7a4f361281161892ff0ae2f9ccaf
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48cfbdeb4600dfd22582198b12d32538385f7a4f361281161892ff0ae2f9ccaf

Threat Level: Known bad

The file VirusShare_dc5362b9b39cf550b34c1272fe15b355 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

XtremeRAT

Detects executables packed with SmartAssembly

Detect XtremeRAT payload

UPX dump on OEP (original entry point)

Modifies Installed Components in the registry

Executes dropped EXE

Checks computer location settings

UPX packed file

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 19:43

Signatures

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 19:43

Reported

2024-02-06 19:48

Platform

win7-20231215-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B3H462O-2D4U-1FBK-5IM1-QWQ763MI2XG1} C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B3H462O-2D4U-1FBK-5IM1-QWQ763MI2XG1}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B3H462O-2D4U-1FBK-5IM1-QWQ763MI2XG1} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B3H462O-2D4U-1FBK-5IM1-QWQ763MI2XG1}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\ C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2348 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2348 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2348 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2708 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2708 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2708 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2708 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2708 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2708 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2708 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2708 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2708 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe
PID 2708 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp

Files

memory/2348-0-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

memory/2348-1-0x0000000000AA0000-0x0000000000B20000-memory.dmp

memory/2348-2-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

memory/2348-3-0x000000001AC10000-0x000000001AC1A000-memory.dmp

memory/2348-5-0x0000000000AA0000-0x0000000000B20000-memory.dmp

memory/2348-4-0x000000001AF40000-0x000000001AF50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 bcf0247c88321352495ecf8ab39894b0
SHA1 ba255d79380572ae5992a7cca49ce47a6e924b1f
SHA256 cb6bd0c6381ab31775fa7ab2a70ff4503a86b8adb73cda9027db7c4a9b1cac32
SHA512 4fb00145685709efa150735347a87212da4b8626c2a85fcd76d47ee881aab6be9f4fbd652bd8cfc1d277279dd27c85ab5aa191f05f4ce1083a353dba8e1724a6

memory/2708-13-0x0000000000C80000-0x0000000000CE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 6ef3f4cc906210aa99ed2da9bf4ea0a6
SHA1 9fd6bd2705c06ab9f46f8bf013fb1115a62d9a48
SHA256 f47ab046445cb483633cdf81bbcb71be499212a3063b7ce12b90c34ccf38f18c
SHA512 1001a9c6f0cca2a6169a26888766a73cec861e7b141a331e2a3c70fb73d753097e10ec3e77071f588474b455519e71bb64296dd4f0abc1dc69920d9dd7c8b7f8

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 eb60c765412e32e7e1f3916ec7080844
SHA1 f1639a6742ed5ab8e1089ab0b0520caa73cd14e7
SHA256 074e1f31691f79cb70ee64f7add18fd0b0071a9ead016aaa2351acb29719f7c4
SHA512 e606a1340e8942cda88878db8aafdda85c28d427fd4ac9b353270a6dfd213de2574d9a98b90db61b4f2830dc5780bc844862fe9579d291bdb0b149604026aa69

memory/2888-23-0x0000000000C80000-0x0000000000CE1000-memory.dmp

C:\Windows\SysWOW64\InstallDir\Server.exe

MD5 a51f1b4db4bdd656d0c31bc77f1e9a79
SHA1 f2a3e3f725a985d7d24b66bed17cb37f3c05105c
SHA256 37bb3e1193f4684934a8cf62a68ffde17d044e5f6af3c2f7d6370f7e48b50a6d
SHA512 8fb4ae8042a887dadb9b7a07b50e61735a75447896c24d28aaa5f811680f4db517ee606d1b1899a00c8a57104ba2ada09666cad9814abb4384ca5b22a424aaae

memory/2888-21-0x0000000000C80000-0x0000000000CE1000-memory.dmp

memory/2772-27-0x0000000000C80000-0x0000000000CE1000-memory.dmp

memory/2884-30-0x0000000000C80000-0x0000000000CE1000-memory.dmp

memory/2708-32-0x0000000000C80000-0x0000000000CE1000-memory.dmp

memory/2884-34-0x0000000000C80000-0x0000000000CE1000-memory.dmp

memory/2348-35-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

memory/2348-36-0x0000000000AA0000-0x0000000000B20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 19:43

Reported

2024-02-06 19:48

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B3H462O-2D4U-1FBK-5IM1-QWQ763MI2XG1}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B3H462O-2D4U-1FBK-5IM1-QWQ763MI2XG1} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B3H462O-2D4U-1FBK-5IM1-QWQ763MI2XG1}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B3H462O-2D4U-1FBK-5IM1-QWQ763MI2XG1} C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\ C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_dc5362b9b39cf550b34c1272fe15b355.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
US 8.8.8.8:53 somee.no-ip.biz udp
US 8.8.8.8:53 somee.no-ip.biz udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 somee.no-ip.biz udp
US 8.8.8.8:53 somee.no-ip.biz udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 somee.no-ip.biz udp
US 8.8.8.8:53 somee.no-ip.biz udp
US 8.8.8.8:53 somee.no-ip.biz udp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp
N/A 127.0.0.1:81 tcp
US 8.8.8.8:53 somee.no-ip.biz udp

Files

memory/1784-0-0x00007FFA1A2C0000-0x00007FFA1AC61000-memory.dmp

memory/1784-1-0x0000000000E10000-0x0000000000E20000-memory.dmp

memory/1784-2-0x000000001BAF0000-0x000000001BFBE000-memory.dmp

memory/1784-3-0x00007FFA1A2C0000-0x00007FFA1AC61000-memory.dmp

memory/1784-4-0x000000001B5D0000-0x000000001B5DA000-memory.dmp

memory/1784-7-0x000000001C290000-0x000000001C2A0000-memory.dmp

memory/1784-9-0x000000001C350000-0x000000001C3F6000-memory.dmp

memory/1784-10-0x000000001C510000-0x000000001C5AC000-memory.dmp

memory/1784-8-0x0000000000E10000-0x0000000000E20000-memory.dmp

memory/1784-11-0x000000001B5C0000-0x000000001B5C8000-memory.dmp

memory/1784-12-0x000000001C7A0000-0x000000001C7EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 47cf30109653749ea04fe9b75476543a
SHA1 6c88ade7b30ddb72fb3626aa5ac9b05b3ce999cb
SHA256 69e5729bbdf18c3089c93877a6840ff214ae91330220cee00ec2134bb5df3b8f
SHA512 ba417588a93b9dd653f8f7e6d96f25d50126c13ce7bfe535c31a2c973da3cc139d509938c6e6aa31262ac506f96f72ecd1d43a2e8077d8525c23874fba543246

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 65066f6e1d23dcc1ca1a6903e6f4af84
SHA1 a4a81cfff428f17b45fe37513dadadf9f3b967c0
SHA256 460ef7e5ab62e496f890a3facc870c1491f41b913b6a1b0ea27e88004c8119ed
SHA512 c0b649815c6a816c1aac53faa934a3a3d2214e712d2cbfc5633471b43d90590cea7fe860b6eb62ca4ef1d26c86b3c00b50de31e6677e524ecf9b7a97ec184752

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 f5999ac7cfab3a4c7790f674008fe17b
SHA1 c796062f67421134216c5e9d6217472ed800c114
SHA256 65e6db39daaf5ea369568f87685c7b92fe2374cfe4a73bb296b46a1bba558dc5
SHA512 a013977d3a680438cbf86f7a1120a40d8dcc09dc1bb5e29f18d13673060672e969f2115c1c2bd095a08a09cee8357fa45b70fc11e907354b968f0acc6c03196a

memory/4048-21-0x0000000000C80000-0x0000000000CE1000-memory.dmp

C:\Windows\SysWOW64\InstallDir\Server.exe

MD5 b71f866875e97f165c8ac16ecebbc892
SHA1 6afc67f52a2521e72f331348c1e255995e70a01e
SHA256 bc0071157b95a6ac2b306aa4f13d44341a6e105cd01ec8a33d71a6f10b18658e
SHA512 0bcced9981c53526e2398ced4673dca83b6e2acd0c0de3143526a5a42e26f517560d8be2a32f6c064c2a898c6d9128a6de337b30b0c846aaad19b4331fe474d5

memory/3432-28-0x0000000000C80000-0x0000000000CE1000-memory.dmp

memory/2644-30-0x0000000000C80000-0x0000000000CE1000-memory.dmp

memory/4048-31-0x0000000000C80000-0x0000000000CE1000-memory.dmp

memory/2644-33-0x0000000000C80000-0x0000000000CE1000-memory.dmp

memory/1784-34-0x00007FFA1A2C0000-0x00007FFA1AC61000-memory.dmp

memory/1784-35-0x0000000000E10000-0x0000000000E20000-memory.dmp