0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

Analysis

max time kernel
154s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
Size

583KB
MD5

929457dc75bc3543c97bdafb7a00721a
SHA1

12b2f7b1c2faf3533092b6b729c61903e17f4110
SHA256

0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd
SHA512

a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5
SSDEEP

12288:NM0bdyzpX23UYWx0EPs21KEP3x9G7JCBhx2YV0fOdHrnBHbAZv41BY:22yzJ0ULxfPs21BPi7JCBhoYSfOdHrq/

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 46 IoCs

pid	Process
1864	Server.exe
1336	Server.exe
596	Server.exe
1096	Server.exe
1500	Server.exe
1768	Server.exe
2044	Server.exe
576	Server.exe
1152	Server.exe
1252	Server.exe
1640	Server.exe
1260	Server.exe
764	Server.exe
460	Server.exe
1952	Server.exe
664	Server.exe
1668	Server.exe
1320	Server.exe
1820	Server.exe
1072	Server.exe
1372	Server.exe
2008	Server.exe
1728	Server.exe
2004	Server.exe
968	Server.exe
1520	Server.exe
1492	Server.exe
852	Server.exe
1744	Server.exe
1772	Server.exe
1816	Server.exe
288	Server.exe
924	Server.exe
1168	Server.exe
1560	Server.exe
1308	Server.exe
996	Server.exe
900	Server.exe
664	Server.exe
1744	Server.exe
1396	Server.exe
1632	Server.exe
1812	Server.exe
2028	Server.exe
1560	Server.exe
1756	Server.exe

Modifies Installed Components in the registry 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2012-84-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2012-87-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2012-89-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2012-94-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2012-95-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2012-96-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/1048-103-0x0000000010000000-0x000000001031C000-memory.dmp	upx

Loads dropped DLL 17 IoCs

pid	Process
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe"	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe

Writes to the Master Boot Record (MBR) 1 TTPs 17 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe

Suspicious use of SetThreadContext 32 IoCs

description	pid	Process	procid_target
PID 1116 set thread context of 2032	1116	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	26
PID 2032 set thread context of 2012	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	29
PID 1864 set thread context of 1336	1864	Server.exe	32
PID 1336 set thread context of 596	1336	Server.exe	35
PID 1096 set thread context of 1500	1096	Server.exe	37
PID 1500 set thread context of 1768	1500	Server.exe	39
PID 2044 set thread context of 576	2044	Server.exe	42
PID 576 set thread context of 1152	576	Server.exe	45
PID 1252 set thread context of 1640	1252	Server.exe	47
PID 1640 set thread context of 1260	1640	Server.exe	50
PID 764 set thread context of 460	764	Server.exe	52
PID 460 set thread context of 1952	460	Server.exe	55
PID 664 set thread context of 1668	664	Server.exe	57
PID 1320 set thread context of 1820	1320	Server.exe	59
PID 1820 set thread context of 1072	1820	Server.exe	62
PID 1372 set thread context of 2008	1372	Server.exe	64
PID 2008 set thread context of 2004	2008	Server.exe	67
PID 1728 set thread context of 968	1728	Server.exe	69
PID 1520 set thread context of 1492	1520	Server.exe	71
PID 1492 set thread context of 852	1492	Server.exe	74
PID 1744 set thread context of 1772	1744	Server.exe	76
PID 1816 set thread context of 288	1816	Server.exe	78
PID 1772 set thread context of 924	1772	Server.exe	80
PID 288 set thread context of 1168	288	Server.exe	83
PID 1560 set thread context of 1308	1560	Server.exe	86
PID 996 set thread context of 900	996	Server.exe	88
PID 900 set thread context of 664	900	Server.exe	91
PID 1308 set thread context of 1744	1308	Server.exe	94
PID 1396 set thread context of 1632	1396	Server.exe	96
PID 1632 set thread context of 1812	1632	Server.exe	99
PID 2028 set thread context of 1560	2028	Server.exe	101
PID 1560 set thread context of 1756	1560	Server.exe	104

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\InstallDir\Server.exe	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
1336	Server.exe
1500	Server.exe
576	Server.exe
1640	Server.exe
460	Server.exe
1820	Server.exe
2008	Server.exe
1492	Server.exe
1772	Server.exe
288	Server.exe
900	Server.exe
1308	Server.exe
1632	Server.exe
1560	Server.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2012	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
596	Server.exe
1768	Server.exe
1152	Server.exe
1260	Server.exe
1952	Server.exe
1072	Server.exe
2004	Server.exe
852	Server.exe
924	Server.exe
664	Server.exe
1812	Server.exe
1756	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2032	1116	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	26
PID 1116 wrote to memory of 2032	1116	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	26
PID 1116 wrote to memory of 2032	1116	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	26
PID 1116 wrote to memory of 2032	1116	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	26
PID 1116 wrote to memory of 2032	1116	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	26
PID 1116 wrote to memory of 2032	1116	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	26
PID 1116 wrote to memory of 2032	1116	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	26
PID 1116 wrote to memory of 2032	1116	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	26
PID 2032 wrote to memory of 944	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	27
PID 2032 wrote to memory of 944	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	27
PID 2032 wrote to memory of 944	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	27
PID 2032 wrote to memory of 944	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	27
PID 2032 wrote to memory of 944	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	27
PID 2032 wrote to memory of 944	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	27
PID 2032 wrote to memory of 944	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	27
PID 2032 wrote to memory of 336	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	28
PID 2032 wrote to memory of 336	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	28
PID 2032 wrote to memory of 336	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	28
PID 2032 wrote to memory of 336	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	28
PID 2032 wrote to memory of 336	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	28
PID 2032 wrote to memory of 336	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	28
PID 2032 wrote to memory of 336	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	28
PID 2032 wrote to memory of 2012	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	29
PID 2032 wrote to memory of 2012	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	29
PID 2032 wrote to memory of 2012	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	29
PID 2032 wrote to memory of 2012	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	29
PID 2032 wrote to memory of 2012	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	29
PID 2032 wrote to memory of 2012	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	29
PID 2032 wrote to memory of 2012	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	29
PID 2032 wrote to memory of 2012	2032	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	29
PID 2012 wrote to memory of 1048	2012	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	30
PID 2012 wrote to memory of 1048	2012	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	30
PID 2012 wrote to memory of 1048	2012	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	30
PID 2012 wrote to memory of 1048	2012	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	30
PID 2012 wrote to memory of 1048	2012	0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe	30
PID 1048 wrote to memory of 1864	1048	svchost.exe	31
PID 1048 wrote to memory of 1864	1048	svchost.exe	31
PID 1048 wrote to memory of 1864	1048	svchost.exe	31
PID 1048 wrote to memory of 1864	1048	svchost.exe	31
PID 1864 wrote to memory of 1336	1864	Server.exe	32
PID 1864 wrote to memory of 1336	1864	Server.exe	32
PID 1864 wrote to memory of 1336	1864	Server.exe	32
PID 1864 wrote to memory of 1336	1864	Server.exe	32
PID 1864 wrote to memory of 1336	1864	Server.exe	32
PID 1864 wrote to memory of 1336	1864	Server.exe	32
PID 1864 wrote to memory of 1336	1864	Server.exe	32
PID 1864 wrote to memory of 1336	1864	Server.exe	32
PID 1336 wrote to memory of 1100	1336	Server.exe	33
PID 1336 wrote to memory of 1100	1336	Server.exe	33
PID 1336 wrote to memory of 1100	1336	Server.exe	33
PID 1336 wrote to memory of 1100	1336	Server.exe	33
PID 1336 wrote to memory of 1100	1336	Server.exe	33
PID 1336 wrote to memory of 1100	1336	Server.exe	33
PID 1336 wrote to memory of 1100	1336	Server.exe	33
PID 1336 wrote to memory of 1884	1336	Server.exe	34
PID 1336 wrote to memory of 1884	1336	Server.exe	34
PID 1336 wrote to memory of 1884	1336	Server.exe	34
PID 1336 wrote to memory of 1884	1336	Server.exe	34
PID 1336 wrote to memory of 1884	1336	Server.exe	34
PID 1336 wrote to memory of 1884	1336	Server.exe	34
PID 1336 wrote to memory of 1884	1336	Server.exe	34
PID 1336 wrote to memory of 596	1336	Server.exe	35
PID 1336 wrote to memory of 596	1336	Server.exe	35
PID 1336 wrote to memory of 596	1336	Server.exe	35

C:\Users\Admin\AppData\Local\Temp\0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
"C:\Users\Admin\AppData\Local\Temp\0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
  C:\Users\Admin\AppData\Local\Temp\0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:944
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:336
- - C:\Users\Admin\AppData\Local\Temp\0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
    C:\Users\Admin\AppData\Local\Temp\0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd.exe
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Modifies Installed Components in the registry
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1884
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:596
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1096
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1608
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:616
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2044
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1084
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1152
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1252
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1688
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1260
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:764
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1972
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1952
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:664
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Modifies registry class
        
        PID:1668
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1320
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:824
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1072
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1372
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1184
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2004
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1728
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Modifies registry class
        
        PID:968
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1520
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:584
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:852
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1744
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1316
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1080
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1816
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1360
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1588
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1560
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1728
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        
        PID:1744
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:996
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1388
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:664
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1396
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1788
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1812
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2028
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1604
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
583KB

MD5
18f2180c1a0d1f7a4082e32923b00906

SHA1
cb0dac6958a409e6c0a5cd3fe3768caccf350f0d

SHA256
7d6f0d12636055280c78ba0ac8e4acedcd61a39403f43ec07d885414158338c7

SHA512
a12a2ec4dd29af98c417048e77670d64b5e91479f4f14faf8d1d68c865a7721ed952085b3855e23c71ea8873070179270ac4ea0b22ea97b0fef44d1a7b9ea509

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
583KB

MD5
2ea563051494eafc171d182c62b9355a

SHA1
5f9bb19817e01f20d7c792e2c3ad4c4ef553da67

SHA256
fc75f6893b83881cfb5196e54dba91d3b7efa216f90dcf4a0b96f67ed2075f93

SHA512
86827aa0c91031c8704bd6426f092b442d8f9755a46ef2dea759eda70f0127c9f6a361fd90378a42bbfc00ede2ea1c0932bbc929680fc1ae598aa5621e898e59

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
\Windows\InstallDir\Server.exe

Filesize
583KB

MD5
929457dc75bc3543c97bdafb7a00721a

SHA1
12b2f7b1c2faf3533092b6b729c61903e17f4110

SHA256
0affd3484eebdea0fdaa40f4728ce51c6513d1c190c2e79a0a24db16021aebbd

SHA512
a4ca93b0d0e93e877e9526e13274fd6acd7f8efe25dc94985184c4f57a8739344648c2f4b1d36ec80c8d01d68fff6225c8833a5b130e34b02aa2aaf783fe3ad5

Download Submit
memory/288-647-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/288-619-0x00000000004DC165-mapping.dmp

Download
memory/288-673-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/460-322-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/460-356-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/460-346-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/460-317-0x00000000004DC165-mapping.dmp

Download
memory/576-245-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/576-220-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/576-215-0x00000000004DC165-mapping.dmp

Download
memory/576-254-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/596-156-0x00000000102CA000-0x000000001031B000-memory.dmp

Filesize
324KB

Download
memory/596-158-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/596-149-0x0000000010319F90-mapping.dmp

Download
memory/596-157-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/664-362-0x0000000000000000-mapping.dmp

Download
memory/664-759-0x0000000010319F90-mapping.dmp

Download
memory/764-314-0x0000000000000000-mapping.dmp

Download
memory/852-573-0x0000000010319F90-mapping.dmp

Download
memory/852-581-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/852-582-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/900-697-0x00000000004DC165-mapping.dmp

Download
memory/924-682-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/924-681-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/924-656-0x0000000010319F90-mapping.dmp

Download
memory/968-531-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/968-507-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/968-493-0x00000000004DC165-mapping.dmp

Download
memory/996-694-0x0000000000000000-mapping.dmp

Download
memory/1048-103-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1048-101-0x0000000000000000-mapping.dmp

Download
memory/1072-447-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1072-446-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1072-438-0x0000000010319F90-mapping.dmp

Download
memory/1096-160-0x0000000000000000-mapping.dmp

Download
memory/1152-262-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1152-261-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1152-260-0x00000000102CA000-0x000000001031B000-memory.dmp

Filesize
324KB

Download
memory/1152-252-0x0000000010319F90-mapping.dmp

Download
memory/1168-671-0x0000000010319F90-mapping.dmp

Download
memory/1168-679-0x00000000102CA000-0x000000001031B000-memory.dmp

Filesize
324KB

Download
memory/1168-680-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1252-264-0x0000000000000000-mapping.dmp

Download
memory/1260-302-0x0000000010319F90-mapping.dmp

Download
memory/1260-310-0x00000000102CA000-0x000000001031B000-memory.dmp

Filesize
324KB

Download
memory/1260-311-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1260-312-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1308-692-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1308-687-0x00000000004DC165-mapping.dmp

Download
memory/1320-399-0x0000000000000000-mapping.dmp

Download
memory/1336-128-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-127-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-135-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-112-0x00000000004DC165-mapping.dmp

Download
memory/1336-116-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1336-118-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1336-119-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-120-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-122-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-123-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-126-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-136-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-129-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1336-130-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-131-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-132-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-133-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-134-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/1336-151-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1372-449-0x0000000000000000-mapping.dmp

Download
memory/1396-783-0x0000000000000000-mapping.dmp

Download
memory/1492-537-0x00000000004DC165-mapping.dmp

Download
memory/1492-568-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1492-575-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1500-190-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1500-202-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1500-163-0x00000000004DC165-mapping.dmp

Download
memory/1500-191-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1520-534-0x0000000000000000-mapping.dmp

Download
memory/1560-684-0x0000000000000000-mapping.dmp

Download
memory/1560-830-0x00000000004DC165-mapping.dmp

Download
memory/1632-785-0x00000000004DC165-mapping.dmp

Download
memory/1640-267-0x00000000004DC165-mapping.dmp

Download
memory/1640-304-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1668-366-0x00000000004DC165-mapping.dmp

Download
memory/1668-396-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1668-395-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1728-484-0x0000000000000000-mapping.dmp

Download
memory/1744-771-0x0000000010319F90-mapping.dmp

Download
memory/1744-584-0x0000000000000000-mapping.dmp

Download
memory/1756-864-0x0000000010319F90-mapping.dmp

Download
memory/1768-200-0x0000000010319F90-mapping.dmp

Download
memory/1768-210-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1768-208-0x00000000102CA000-0x000000001031B000-memory.dmp

Filesize
324KB

Download
memory/1768-209-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1772-587-0x00000000004DC165-mapping.dmp

Download
memory/1772-592-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1772-646-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1772-658-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1812-820-0x0000000010319F90-mapping.dmp

Download
memory/1816-616-0x0000000000000000-mapping.dmp

Download
memory/1820-402-0x00000000004DC165-mapping.dmp

Download
memory/1820-440-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1820-429-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1864-109-0x0000000000000000-mapping.dmp

Download
memory/1952-394-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1952-397-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1952-354-0x0000000010319F90-mapping.dmp

Download
memory/1952-393-0x00000000102CA000-0x000000001031B000-memory.dmp

Filesize
324KB

Download
memory/2004-494-0x0000000010319F90-mapping.dmp

Download
memory/2004-508-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/2004-532-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/2004-506-0x00000000102CA000-0x000000001031B000-memory.dmp

Filesize
324KB

Download
memory/2008-489-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2008-452-0x00000000004DC165-mapping.dmp

Download
memory/2008-499-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2008-457-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2012-94-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2012-91-0x0000000010319F90-mapping.dmp

Download
memory/2012-89-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2012-87-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2012-84-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2012-83-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2012-95-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2012-96-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2012-97-0x00000000102CA000-0x000000001031B000-memory.dmp

Filesize
324KB

Download
memory/2012-98-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/2012-104-0x00000000102CA000-0x000000001031B000-memory.dmp

Filesize
324KB

Download
memory/2012-105-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/2028-828-0x0000000000000000-mapping.dmp

Download
memory/2032-81-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/2032-76-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-75-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-74-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-73-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-72-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-55-0x00000000004DC165-mapping.dmp

Download
memory/2032-71-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-70-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-69-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-68-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-65-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-64-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-61-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-59-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-60-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-58-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-57-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-77-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-54-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-78-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-79-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-80-0x0000000000401000-0x0000000000487200-memory.dmp

Filesize
536KB

Download
memory/2032-82-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-92-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2044-212-0x0000000000000000-mapping.dmp

Download