14edc7e17f0f54eb4c750ef54e79b7241b77094ffe6d39f2a7e6d5583dead4b0

General

Target

11ea1cac1b6a156f34248849aa7907cb.exe
Size

522KB
MD5

11ea1cac1b6a156f34248849aa7907cb
SHA1

8c11db6b05f2878e263279296e8105136baebb92
SHA256

14edc7e17f0f54eb4c750ef54e79b7241b77094ffe6d39f2a7e6d5583dead4b0
SHA512

624f2f6ceebab94d66475403d4f0ccb116ac317f586b017a8c64b80caa6fa2fcfe8a324b6b5a5a6797dc9958ae41d4ed4fefe8915058b88d1131e53a19a365e0
SSDEEP

12288:wMgDksy9lYyxFSMZQ+peBI+lkHQ4jC9FfmiqZZ4C8+db:vH3YyxFhZ8rKHXcFf5qECJb

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe = "C:\\Users\\Admin\\AppData\\Roaming\\SerbianPersia\\SerbianPersia.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\i4i.exe = "C:\\Users\\Admin\\AppData\\Roaming\\i4i.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

11ea1cac1b6a156f34248849aa7907cb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	11ea1cac1b6a156f34248849aa7907cb.exe

Executes dropped EXE 2 IoCs

Processes:

SerbianPersia.exeSerbianPersia.exe

pid process

3332 SerbianPersia.exe
4460 SerbianPersia.exe

pid	process
3332	SerbianPersia.exe
4460	SerbianPersia.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2148-0-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
behavioral2/memory/3332-19-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral2/memory/2148-21-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
behavioral2/memory/3332-27-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral2/memory/4460-29-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4460-26-0x0000000000400000-0x000000000045D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
behavioral2/memory/4460-23-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4460-35-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4460-37-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4460-36-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4460-39-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4460-40-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4460-41-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4460-43-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4460-44-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4460-45-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4460-47-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SerbianPersian = "C:\\Users\\Admin\\AppData\\Roaming\\SerbianPersia\\SerbianPersia.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SerbianPersia.exe

description pid process target process

PID 3332 set thread context of 4460 3332 SerbianPersia.exe SerbianPersia.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

1616 reg.exe
3532 reg.exe
2988 reg.exe
1432 reg.exe

description	pid	process	target process
PID 3332 set thread context of 4460	3332	SerbianPersia.exe	SerbianPersia.exe

pid	process
1616	reg.exe
3532	reg.exe
2988	reg.exe
1432	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

SerbianPersia.exe

description	pid	process
Token: 1	4460	SerbianPersia.exe
Token: SeCreateTokenPrivilege	4460	SerbianPersia.exe
Token: SeAssignPrimaryTokenPrivilege	4460	SerbianPersia.exe
Token: SeLockMemoryPrivilege	4460	SerbianPersia.exe
Token: SeIncreaseQuotaPrivilege	4460	SerbianPersia.exe
Token: SeMachineAccountPrivilege	4460	SerbianPersia.exe
Token: SeTcbPrivilege	4460	SerbianPersia.exe
Token: SeSecurityPrivilege	4460	SerbianPersia.exe
Token: SeTakeOwnershipPrivilege	4460	SerbianPersia.exe
Token: SeLoadDriverPrivilege	4460	SerbianPersia.exe
Token: SeSystemProfilePrivilege	4460	SerbianPersia.exe
Token: SeSystemtimePrivilege	4460	SerbianPersia.exe
Token: SeProfSingleProcessPrivilege	4460	SerbianPersia.exe
Token: SeIncBasePriorityPrivilege	4460	SerbianPersia.exe
Token: SeCreatePagefilePrivilege	4460	SerbianPersia.exe
Token: SeCreatePermanentPrivilege	4460	SerbianPersia.exe
Token: SeBackupPrivilege	4460	SerbianPersia.exe
Token: SeRestorePrivilege	4460	SerbianPersia.exe
Token: SeShutdownPrivilege	4460	SerbianPersia.exe
Token: SeDebugPrivilege	4460	SerbianPersia.exe
Token: SeAuditPrivilege	4460	SerbianPersia.exe
Token: SeSystemEnvironmentPrivilege	4460	SerbianPersia.exe
Token: SeChangeNotifyPrivilege	4460	SerbianPersia.exe
Token: SeRemoteShutdownPrivilege	4460	SerbianPersia.exe
Token: SeUndockPrivilege	4460	SerbianPersia.exe
Token: SeSyncAgentPrivilege	4460	SerbianPersia.exe
Token: SeEnableDelegationPrivilege	4460	SerbianPersia.exe
Token: SeManageVolumePrivilege	4460	SerbianPersia.exe
Token: SeImpersonatePrivilege	4460	SerbianPersia.exe
Token: SeCreateGlobalPrivilege	4460	SerbianPersia.exe
Token: 31	4460	SerbianPersia.exe
Token: 32	4460	SerbianPersia.exe
Token: 33	4460	SerbianPersia.exe
Token: 34	4460	SerbianPersia.exe
Token: 35	4460	SerbianPersia.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

11ea1cac1b6a156f34248849aa7907cb.exeSerbianPersia.exeSerbianPersia.exe

pid process

2148 11ea1cac1b6a156f34248849aa7907cb.exe
3332 SerbianPersia.exe
4460 SerbianPersia.exe
4460 SerbianPersia.exe
4460 SerbianPersia.exe

pid	process
2148	11ea1cac1b6a156f34248849aa7907cb.exe
3332	SerbianPersia.exe
4460	SerbianPersia.exe
4460	SerbianPersia.exe
4460	SerbianPersia.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

11ea1cac1b6a156f34248849aa7907cb.execmd.exeSerbianPersia.exeSerbianPersia.exebackgroundTaskHost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2148 wrote to memory of 2636	2148	11ea1cac1b6a156f34248849aa7907cb.exe	cmd.exe
PID 2148 wrote to memory of 2636	2148	11ea1cac1b6a156f34248849aa7907cb.exe	cmd.exe
PID 2148 wrote to memory of 2636	2148	11ea1cac1b6a156f34248849aa7907cb.exe	cmd.exe
PID 2636 wrote to memory of 4244	2636	cmd.exe	reg.exe
PID 2636 wrote to memory of 4244	2636	cmd.exe	reg.exe
PID 2636 wrote to memory of 4244	2636	cmd.exe	reg.exe
PID 2148 wrote to memory of 3332	2148	11ea1cac1b6a156f34248849aa7907cb.exe	SerbianPersia.exe
PID 2148 wrote to memory of 3332	2148	11ea1cac1b6a156f34248849aa7907cb.exe	SerbianPersia.exe
PID 2148 wrote to memory of 3332	2148	11ea1cac1b6a156f34248849aa7907cb.exe	SerbianPersia.exe
PID 3332 wrote to memory of 4460	3332	SerbianPersia.exe	SerbianPersia.exe
PID 3332 wrote to memory of 4460	3332	SerbianPersia.exe	SerbianPersia.exe
PID 3332 wrote to memory of 4460	3332	SerbianPersia.exe	SerbianPersia.exe
PID 3332 wrote to memory of 4460	3332	SerbianPersia.exe	SerbianPersia.exe
PID 3332 wrote to memory of 4460	3332	SerbianPersia.exe	SerbianPersia.exe
PID 3332 wrote to memory of 4460	3332	SerbianPersia.exe	SerbianPersia.exe
PID 3332 wrote to memory of 4460	3332	SerbianPersia.exe	SerbianPersia.exe
PID 3332 wrote to memory of 4460	3332	SerbianPersia.exe	SerbianPersia.exe
PID 4460 wrote to memory of 3476	4460	SerbianPersia.exe	cmd.exe
PID 4460 wrote to memory of 3476	4460	SerbianPersia.exe	cmd.exe
PID 4460 wrote to memory of 3476	4460	SerbianPersia.exe	cmd.exe
PID 4460 wrote to memory of 3844	4460	SerbianPersia.exe	backgroundTaskHost.exe
PID 4460 wrote to memory of 3844	4460	SerbianPersia.exe	backgroundTaskHost.exe
PID 4460 wrote to memory of 3844	4460	SerbianPersia.exe	backgroundTaskHost.exe
PID 4460 wrote to memory of 1180	4460	SerbianPersia.exe	cmd.exe
PID 4460 wrote to memory of 1180	4460	SerbianPersia.exe	cmd.exe
PID 4460 wrote to memory of 1180	4460	SerbianPersia.exe	cmd.exe
PID 4460 wrote to memory of 2088	4460	SerbianPersia.exe	cmd.exe
PID 4460 wrote to memory of 2088	4460	SerbianPersia.exe	cmd.exe
PID 4460 wrote to memory of 2088	4460	SerbianPersia.exe	cmd.exe
PID 3844 wrote to memory of 1432	3844	backgroundTaskHost.exe	reg.exe
PID 3844 wrote to memory of 1432	3844	backgroundTaskHost.exe	reg.exe
PID 3844 wrote to memory of 1432	3844	backgroundTaskHost.exe	reg.exe
PID 3476 wrote to memory of 2988	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 2988	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 2988	3476	cmd.exe	reg.exe
PID 1180 wrote to memory of 1616	1180	cmd.exe	reg.exe
PID 1180 wrote to memory of 1616	1180	cmd.exe	reg.exe
PID 1180 wrote to memory of 1616	1180	cmd.exe	reg.exe
PID 2088 wrote to memory of 3532	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 3532	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 3532	2088	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\11ea1cac1b6a156f34248849aa7907cb.exe
"C:\Users\Admin\AppData\Local\Temp\11ea1cac1b6a156f34248849aa7907cb.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240610109.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SerbianPersian" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe" /f
3⤵
- Adds Run key to start application
PID:4244

C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
"C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3332

C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
"C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\i4i.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\i4i.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe:*:Enabled:Windows Messanger" /f
4⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:1616

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\i4i.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\i4i.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:3532

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:2988

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:1432

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of WriteProcessMemory
PID:3844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240610109.bat
Filesize
161B

MD5
fd6ff0018e5f38a1f58149ab5042d0bf

SHA1
ead83b25ace051ba0215997f54e1a5b72b33e112

SHA256
da8ef51f8e28c04cefe22ec5e08569de5cd64a984d35b4cd9b9cfab0218bf6ce

SHA512
21b2500fac940978b1d606f321dc120c33b910822b96b4a5a1c0ebd8584e207a39961d1bb7ad833112a5832d56c1a2acd0491b3b62bde8c3648296886353a256

Download Submit
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
409KB

MD5
2a4e9d3622dead5fcef8b7f62f9d0b9d

SHA1
d1dab3656b653fe4739e311ccd0e933adae57219

SHA256
6bea1203f75782e4a418ccc5ac777df4d82669b0618daa82eaba29c2c9253f3c

SHA512
579700c5c3e68677cd3e98966ab67e79d123c88f7e06f17066af4b8a353ecfce5f905572d9386034b89aa7d286ac67263f785c63dea536f471640172d1a249b5

Download Submit
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
443KB

MD5
ba2b26b32fcc80513605556354a63bad

SHA1
5685f336ce3e191ae14d7c18adabbfebf6c83b5f

SHA256
6ebea53330d45d32b65b4befe8a87be91f9a868022f1edd14d41133b4463a7b1

SHA512
ca36e544d6845d679da0aa0019e38cb4028764368ee9a5fc3616dc65ccd965b31633eb62addd89957e2844cf77595574c78608e846625d9776e5f76b81cc0c2a

Download Submit
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
373KB

MD5
41cdc1b66b381057df22492a97fc5b47

SHA1
2bf913e601193a6616d425a142c18c982504d649

SHA256
4e288cd3c1e318fcd8bc3a6b68bd59c19c0236a89c4a98e0b9c89f14f4b45717

SHA512
5b21b3a6841b09473621a0d1b981f9a778ca947cd0da48f7ceb831ae53f7b95c8250d930c26e3ff09f294a72294822296f7f6a08d8222764c49c1216689dfc2a

Download Submit
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
205KB

MD5
1c6d450c14f15915246129b1c2d636d3

SHA1
873e61f2636f371f4fe6c3f0e62b96b542ffc460

SHA256
8c7bfaa889b1b6db9c738d97568c72e5c4b676369021421389706fe26c661f60

SHA512
7e97856156c9679266ed76ff09651ec57272466de2ae2d92aa9efe9087226b4f83deb610bcf486d0a8017b7192f806ca70a0eb762825de6492d516f38c4c1604

Download Submit
memory/2148-0-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2148-21-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/3332-19-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/3332-27-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4460-37-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-26-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-23-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-35-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-29-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-36-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-39-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-40-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-41-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-43-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-44-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-45-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-47-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads