14edc7e17f0f54eb4c750ef54e79b7241b77094ffe6d39f2a7e6d5583dead4b0

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11ea1cac1b6a156f34248849aa7907cb.exe
Size

522KB
MD5

11ea1cac1b6a156f34248849aa7907cb
SHA1

8c11db6b05f2878e263279296e8105136baebb92
SHA256

14edc7e17f0f54eb4c750ef54e79b7241b77094ffe6d39f2a7e6d5583dead4b0
SHA512

624f2f6ceebab94d66475403d4f0ccb116ac317f586b017a8c64b80caa6fa2fcfe8a324b6b5a5a6797dc9958ae41d4ed4fefe8915058b88d1131e53a19a365e0
SSDEEP

12288:wMgDksy9lYyxFSMZQ+peBI+lkHQ4jC9FfmiqZZ4C8+db:vH3YyxFhZ8rKHXcFf5qECJb

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe = "C:\\Users\\Admin\\AppData\\Roaming\\SerbianPersia\\SerbianPersia.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\i4i.exe = "C:\\Users\\Admin\\AppData\\Roaming\\i4i.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 2 IoCs

Processes:

SerbianPersia.exeSerbianPersia.exe

pid process

2712 SerbianPersia.exe
2668 SerbianPersia.exe

pid	process
2712	SerbianPersia.exe
2668	SerbianPersia.exe

Loads dropped DLL 5 IoCs

Processes:

11ea1cac1b6a156f34248849aa7907cb.exe

pid	process
816	11ea1cac1b6a156f34248849aa7907cb.exe
816	11ea1cac1b6a156f34248849aa7907cb.exe
816	11ea1cac1b6a156f34248849aa7907cb.exe
816	11ea1cac1b6a156f34248849aa7907cb.exe
816	11ea1cac1b6a156f34248849aa7907cb.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/816-0-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
behavioral1/memory/816-37-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral1/memory/2712-40-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral1/memory/816-36-0x0000000003B80000-0x0000000003D2F000-memory.dmp	upx
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
behavioral1/memory/2712-45-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral1/memory/2668-48-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2668-49-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2668-47-0x0000000000400000-0x000000000045D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
behavioral1/memory/2668-43-0x0000000000400000-0x000000000045D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
behavioral1/memory/2668-55-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2668-56-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2668-57-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2668-60-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2668-64-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2668-65-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2668-66-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2668-68-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2668-72-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\SerbianPersian = "C:\\Users\\Admin\\AppData\\Roaming\\SerbianPersia\\SerbianPersia.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SerbianPersia.exe

description pid process target process

PID 2712 set thread context of 2668 2712 SerbianPersia.exe SerbianPersia.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

2864 reg.exe
2940 reg.exe
268 reg.exe
472 reg.exe

description	pid	process	target process
PID 2712 set thread context of 2668	2712	SerbianPersia.exe	SerbianPersia.exe

pid	process
2864	reg.exe
2940	reg.exe
268	reg.exe
472	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

SerbianPersia.exe

description	pid	process
Token: 1	2668	SerbianPersia.exe
Token: SeCreateTokenPrivilege	2668	SerbianPersia.exe
Token: SeAssignPrimaryTokenPrivilege	2668	SerbianPersia.exe
Token: SeLockMemoryPrivilege	2668	SerbianPersia.exe
Token: SeIncreaseQuotaPrivilege	2668	SerbianPersia.exe
Token: SeMachineAccountPrivilege	2668	SerbianPersia.exe
Token: SeTcbPrivilege	2668	SerbianPersia.exe
Token: SeSecurityPrivilege	2668	SerbianPersia.exe
Token: SeTakeOwnershipPrivilege	2668	SerbianPersia.exe
Token: SeLoadDriverPrivilege	2668	SerbianPersia.exe
Token: SeSystemProfilePrivilege	2668	SerbianPersia.exe
Token: SeSystemtimePrivilege	2668	SerbianPersia.exe
Token: SeProfSingleProcessPrivilege	2668	SerbianPersia.exe
Token: SeIncBasePriorityPrivilege	2668	SerbianPersia.exe
Token: SeCreatePagefilePrivilege	2668	SerbianPersia.exe
Token: SeCreatePermanentPrivilege	2668	SerbianPersia.exe
Token: SeBackupPrivilege	2668	SerbianPersia.exe
Token: SeRestorePrivilege	2668	SerbianPersia.exe
Token: SeShutdownPrivilege	2668	SerbianPersia.exe
Token: SeDebugPrivilege	2668	SerbianPersia.exe
Token: SeAuditPrivilege	2668	SerbianPersia.exe
Token: SeSystemEnvironmentPrivilege	2668	SerbianPersia.exe
Token: SeChangeNotifyPrivilege	2668	SerbianPersia.exe
Token: SeRemoteShutdownPrivilege	2668	SerbianPersia.exe
Token: SeUndockPrivilege	2668	SerbianPersia.exe
Token: SeSyncAgentPrivilege	2668	SerbianPersia.exe
Token: SeEnableDelegationPrivilege	2668	SerbianPersia.exe
Token: SeManageVolumePrivilege	2668	SerbianPersia.exe
Token: SeImpersonatePrivilege	2668	SerbianPersia.exe
Token: SeCreateGlobalPrivilege	2668	SerbianPersia.exe
Token: 31	2668	SerbianPersia.exe
Token: 32	2668	SerbianPersia.exe
Token: 33	2668	SerbianPersia.exe
Token: 34	2668	SerbianPersia.exe
Token: 35	2668	SerbianPersia.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

11ea1cac1b6a156f34248849aa7907cb.exeSerbianPersia.exeSerbianPersia.exe

pid process

816 11ea1cac1b6a156f34248849aa7907cb.exe
2712 SerbianPersia.exe
2668 SerbianPersia.exe
2668 SerbianPersia.exe
2668 SerbianPersia.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

11ea1cac1b6a156f34248849aa7907cb.execmd.exeSerbianPersia.exeSerbianPersia.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 816 wrote to memory of 2404	816	11ea1cac1b6a156f34248849aa7907cb.exe	cmd.exe
PID 816 wrote to memory of 2404	816	11ea1cac1b6a156f34248849aa7907cb.exe	cmd.exe
PID 816 wrote to memory of 2404	816	11ea1cac1b6a156f34248849aa7907cb.exe	cmd.exe
PID 816 wrote to memory of 2404	816	11ea1cac1b6a156f34248849aa7907cb.exe	cmd.exe
PID 2404 wrote to memory of 2824	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2824	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2824	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2824	2404	cmd.exe	reg.exe
PID 816 wrote to memory of 2712	816	11ea1cac1b6a156f34248849aa7907cb.exe	SerbianPersia.exe
PID 816 wrote to memory of 2712	816	11ea1cac1b6a156f34248849aa7907cb.exe	SerbianPersia.exe
PID 816 wrote to memory of 2712	816	11ea1cac1b6a156f34248849aa7907cb.exe	SerbianPersia.exe
PID 816 wrote to memory of 2712	816	11ea1cac1b6a156f34248849aa7907cb.exe	SerbianPersia.exe
PID 2712 wrote to memory of 2668	2712	SerbianPersia.exe	SerbianPersia.exe
PID 2712 wrote to memory of 2668	2712	SerbianPersia.exe	SerbianPersia.exe
PID 2712 wrote to memory of 2668	2712	SerbianPersia.exe	SerbianPersia.exe
PID 2712 wrote to memory of 2668	2712	SerbianPersia.exe	SerbianPersia.exe
PID 2712 wrote to memory of 2668	2712	SerbianPersia.exe	SerbianPersia.exe
PID 2712 wrote to memory of 2668	2712	SerbianPersia.exe	SerbianPersia.exe
PID 2712 wrote to memory of 2668	2712	SerbianPersia.exe	SerbianPersia.exe
PID 2712 wrote to memory of 2668	2712	SerbianPersia.exe	SerbianPersia.exe
PID 2712 wrote to memory of 2668	2712	SerbianPersia.exe	SerbianPersia.exe
PID 2668 wrote to memory of 1716	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 1716	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 1716	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 1716	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 2160	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 2160	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 2160	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 2160	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 2456	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 2456	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 2456	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 2456	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 1252	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 1252	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 1252	2668	SerbianPersia.exe	cmd.exe
PID 2668 wrote to memory of 1252	2668	SerbianPersia.exe	cmd.exe
PID 1716 wrote to memory of 268	1716	cmd.exe	reg.exe
PID 1716 wrote to memory of 268	1716	cmd.exe	reg.exe
PID 1716 wrote to memory of 268	1716	cmd.exe	reg.exe
PID 1716 wrote to memory of 268	1716	cmd.exe	reg.exe
PID 2160 wrote to memory of 472	2160	cmd.exe	reg.exe
PID 2160 wrote to memory of 472	2160	cmd.exe	reg.exe
PID 2160 wrote to memory of 472	2160	cmd.exe	reg.exe
PID 2160 wrote to memory of 472	2160	cmd.exe	reg.exe
PID 2456 wrote to memory of 2940	2456	cmd.exe	reg.exe
PID 2456 wrote to memory of 2940	2456	cmd.exe	reg.exe
PID 2456 wrote to memory of 2940	2456	cmd.exe	reg.exe
PID 2456 wrote to memory of 2940	2456	cmd.exe	reg.exe
PID 1252 wrote to memory of 2864	1252	cmd.exe	reg.exe
PID 1252 wrote to memory of 2864	1252	cmd.exe	reg.exe
PID 1252 wrote to memory of 2864	1252	cmd.exe	reg.exe
PID 1252 wrote to memory of 2864	1252	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\11ea1cac1b6a156f34248849aa7907cb.exe
"C:\Users\Admin\AppData\Local\Temp\11ea1cac1b6a156f34248849aa7907cb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259416355.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SerbianPersian" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe" /f
3⤵
- Adds Run key to start application
PID:2824

C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
"C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
"C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\i4i.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\i4i.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:472

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\i4i.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\i4i.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:2864

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259416355.bat
Filesize
161B

MD5
fd6ff0018e5f38a1f58149ab5042d0bf

SHA1
ead83b25ace051ba0215997f54e1a5b72b33e112

SHA256
da8ef51f8e28c04cefe22ec5e08569de5cd64a984d35b4cd9b9cfab0218bf6ce

SHA512
21b2500fac940978b1d606f321dc120c33b910822b96b4a5a1c0ebd8584e207a39961d1bb7ad833112a5832d56c1a2acd0491b3b62bde8c3648296886353a256

Download Submit
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
214KB

MD5
c067bab138aa6faaad95ad396c7e8dc5

SHA1
3bebeadee9cd3d8af33525ff6e64141e8eea3a1c

SHA256
35351fee013e2b7c4901b7e8cc97a2c69e12f73e9443d8e663a39c09dce21ad6

SHA512
c35fe7b405576a3095984cc1ab88cdb46226f9e41d0f19acbe4dca7d4852464fb4173abc0316d3a1204280827171be7bc359e9eae7559410fea92633fe3dee72

Download Submit
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
227KB

MD5
51ab3956b3d8d4a4c9994673ef07d883

SHA1
80fbeac84044bb0d37b737af5298b0a3a5e039fe

SHA256
01ada6b112ce899ed6f8265c6567d01044609dac4f643d249ca2a818f335570d

SHA512
7373f56070487aab73537aacacd0b569e7db97d615b0120e4f2f59153b2d26c72fb81eb346fbea69daeaa8e9aaa7933bc3dd0c2fd21da7772b202d5fed1df43f

Download Submit
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
177KB

MD5
35590ce851fb64b5fb61ee694b2baa0a

SHA1
c098fefcc074fd597e53c14db4c3c3fbee17b9cf

SHA256
1b595f1354b4ac4d530f76b42411b6153251ba66add1e36ea8ce70f5e28932b1

SHA512
1ef2615ffa99ee6fe32aeb0815607114ac665ef6e6bccc4f5e7891660bc9bdc8b4e0479f78a90f7e93d9289fe047ced7577f2168c2160ba03303065ccbb78c74

Download Submit
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
149KB

MD5
d5dfc57cd839b770a2edce36f51b8f9a

SHA1
45f309f6bf41086a8524c9c6ea22a4104874223b

SHA256
a9c172dca372ee8099cbe7359d047d1a60aa7cc55e195e060c326a91b51e1a66

SHA512
59025100d40beae90abda65a00d7912cbe6b80cb3c9b0915b98378dc8c8dba4f15c9e3ed77cd966530f838652358e3af0dc1759f370e925ff729cf6b90ddb561

Download Submit
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
26KB

MD5
6b491e75ba03af153ddc33fa5ad32ae6

SHA1
f5628e839e5d60d1ba00debd7b5e72fe129d792b

SHA256
07c556e98898c991bdade1793d383908c74edd35465b1ead58ce1f5e7db59c24

SHA512
dd8f10bef148508725ab346b8e09884f78e7cf9fc633121d8ee045cb54702ae3a740576a7574d80d438186373d8006e5c016f02cf61c4d8e1e4e9b50e805e9a2

Download Submit
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
442KB

MD5
24bb44ca62bf0aea3e2e8885757762f8

SHA1
58085ac17265d6866702f76e461928377626ba47

SHA256
361087341e953fc4aaca4808c67355937d214ca11a03953be65c4f8d41266c15

SHA512
fe1e953308e195c9efe3fcda40db969ad833d64a150af96593ba66cd60f42f02676d668f819c4bb21c36beb7a10f693dac62eb0a58016b2bd0d3ac8cc351f58a

Download Submit
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
412KB

MD5
10c631dc36ee4d142fc6ad29c389bf5d

SHA1
8e91192266a2d2adaae24960fcc4dea2b16d18db

SHA256
07fad0da05b7b8411284d4d417a8dab72c334ab1cdac527c84205e6b10992a5a

SHA512
04d33ce6add80393673a776fd67c953ab147b23cc0a760fc34ed23376aed034606bcbb30fcab5bef4a06fe6ff498510e9beb2067dea29ab25541a0fab644903b

Download Submit
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
321KB

MD5
de27aeb7a83d81763f1c5cbe585ef108

SHA1
8bbcde57c444d00e171918969d219da385b03980

SHA256
e94f9ca9a4296a69f75b92e6c8d61433b4fb5d39581ebce551463efa5056cf1a

SHA512
9f2f809231ebc5898e5ce532d77e69a01fab942ca94658f49e93010b0d5a9dabcf93aa7cbc63b4accb63d8d75b6b7b601038f3da0b3c7b3631290261bcddd26d

Download Submit
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
329KB

MD5
fdfbbe4ad92a313bedba1c58d2b031ce

SHA1
be2a8d8390f7e2224ea8ccda57bcb5ebb4e917d5

SHA256
39d27ed61179e9b0ee91475e3841246ba4fff71750ff174490e8fc3724d00c52

SHA512
c4c9238ac9ed960a5f8aa89f666bb3d2f2ad25204ffa69d930c06fd9b0bb810f8dc8870085e4550cd377370d018a8ba338f99757ae7ed7906c1946d05f1831e6

Download Submit
memory/816-37-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/816-38-0x0000000003B80000-0x0000000003D2F000-memory.dmp

Filesize
1.7MB

Download
memory/816-0-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/816-36-0x0000000003B80000-0x0000000003D2F000-memory.dmp

Filesize
1.7MB

Download
memory/2668-48-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-56-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-47-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-72-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-43-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-68-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-55-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-49-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-57-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-60-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-64-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-66-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2712-40-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2712-45-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download