99429e0d24148741ba7b04a8acceb7177ee27a1c3ff6c2dd7f324a937094e270

General

Target

sphinx_1.0.1.3.vir.exe
Size

1.5MB
MD5

b7e49c14c005991da635005f6022167d
SHA1

6e169aa8cb0ee6535fcb552706767554d785bcb9
SHA256

99429e0d24148741ba7b04a8acceb7177ee27a1c3ff6c2dd7f324a937094e270
SHA512

d786fa1f35262ad880b86c138419e3882c58a21efcb90376dc92fe85abce3fbfda3850792b4e55207fcb1c0ee9e8963be31d9e1fc3d66f7fc36bee95a3eae2dd

Score

8^/10

upx persistence

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

Processes:

sphinx_1.0.1.3.vir.exesphinx_1.0.1.3.vir.exeypba.exe

description	pid	process	target process
PID 344 set thread context of 3864	344	sphinx_1.0.1.3.vir.exe	sphinx_1.0.1.3.vir.exe
PID 3864 set thread context of 3820	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 set thread context of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 2880 set thread context of 3612	2880	ypba.exe	ypba.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sphinx_1.0.1.3.vir.exeexplorer.exeypba.exeexplorer.exe

pid	process
3864	sphinx_1.0.1.3.vir.exe
3864	sphinx_1.0.1.3.vir.exe
3864	sphinx_1.0.1.3.vir.exe
3864	sphinx_1.0.1.3.vir.exe
3864	sphinx_1.0.1.3.vir.exe
3864	sphinx_1.0.1.3.vir.exe
3820	explorer.exe
3820	explorer.exe
3820	explorer.exe
3820	explorer.exe
3612	ypba.exe
3612	ypba.exe
3820	explorer.exe
3820	explorer.exe
3820	explorer.exe
3820	explorer.exe
3820	explorer.exe
3820	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe
3612	ypba.exe

Executes dropped EXE 2 IoCs

Processes:

ypba.exeypba.exe

pid process

2880 ypba.exe
3612 ypba.exe

pid	process
2880	ypba.exe
3612	ypba.exe

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Ikxyek\ypba.exe	nsis_installer
C:\Users\Admin\AppData\Roaming\Ikxyek\ypba.exe	nsis_installer
C:\Users\Admin\AppData\Roaming\Ikxyek\ypba.exe	nsis_installer

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ypba.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run	ypba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\{B8FB0641-A8C5-4577-E5EA-F9EEB5D33AF9} = "C:\\Users\\Admin\\AppData\\Roaming\\Ikxyek\\ypba.exe"	ypba.exe

Loads dropped DLL 6 IoCs

Processes:

sphinx_1.0.1.3.vir.exeypba.exe

pid process

344 sphinx_1.0.1.3.vir.exe
344 sphinx_1.0.1.3.vir.exe
344 sphinx_1.0.1.3.vir.exe
2880 ypba.exe
2880 ypba.exe
2880 ypba.exe

pid	process
344	sphinx_1.0.1.3.vir.exe
344	sphinx_1.0.1.3.vir.exe
344	sphinx_1.0.1.3.vir.exe
2880	ypba.exe
2880	ypba.exe
2880	ypba.exe

Suspicious use of WriteProcessMemory 114 IoCs

Processes:

sphinx_1.0.1.3.vir.exesphinx_1.0.1.3.vir.exeypba.exeypba.exe

description	pid	process	target process
PID 344 wrote to memory of 3864	344	sphinx_1.0.1.3.vir.exe	sphinx_1.0.1.3.vir.exe
PID 344 wrote to memory of 3864	344	sphinx_1.0.1.3.vir.exe	sphinx_1.0.1.3.vir.exe
PID 344 wrote to memory of 3864	344	sphinx_1.0.1.3.vir.exe	sphinx_1.0.1.3.vir.exe
PID 344 wrote to memory of 3864	344	sphinx_1.0.1.3.vir.exe	sphinx_1.0.1.3.vir.exe
PID 344 wrote to memory of 3864	344	sphinx_1.0.1.3.vir.exe	sphinx_1.0.1.3.vir.exe
PID 344 wrote to memory of 3864	344	sphinx_1.0.1.3.vir.exe	sphinx_1.0.1.3.vir.exe
PID 344 wrote to memory of 3864	344	sphinx_1.0.1.3.vir.exe	sphinx_1.0.1.3.vir.exe
PID 344 wrote to memory of 3864	344	sphinx_1.0.1.3.vir.exe	sphinx_1.0.1.3.vir.exe
PID 3864 wrote to memory of 3820	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 3820	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 3820	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 3820	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 3820	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 3820	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 3820	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 3820	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2892	3864	sphinx_1.0.1.3.vir.exe	explorer.exe
PID 3864 wrote to memory of 2880	3864	sphinx_1.0.1.3.vir.exe	ypba.exe
PID 3864 wrote to memory of 2880	3864	sphinx_1.0.1.3.vir.exe	ypba.exe
PID 3864 wrote to memory of 2880	3864	sphinx_1.0.1.3.vir.exe	ypba.exe
PID 2880 wrote to memory of 3612	2880	ypba.exe	ypba.exe
PID 2880 wrote to memory of 3612	2880	ypba.exe	ypba.exe
PID 2880 wrote to memory of 3612	2880	ypba.exe	ypba.exe
PID 2880 wrote to memory of 3612	2880	ypba.exe	ypba.exe
PID 2880 wrote to memory of 3612	2880	ypba.exe	ypba.exe
PID 2880 wrote to memory of 3612	2880	ypba.exe	ypba.exe
PID 2880 wrote to memory of 3612	2880	ypba.exe	ypba.exe
PID 2880 wrote to memory of 3612	2880	ypba.exe	ypba.exe
PID 3864 wrote to memory of 4000	3864	sphinx_1.0.1.3.vir.exe	cmd.exe
PID 3864 wrote to memory of 4000	3864	sphinx_1.0.1.3.vir.exe	cmd.exe
PID 3864 wrote to memory of 4000	3864	sphinx_1.0.1.3.vir.exe	cmd.exe
PID 3612 wrote to memory of 2700	3612	ypba.exe	sihost.exe
PID 3612 wrote to memory of 2700	3612	ypba.exe	sihost.exe
PID 3612 wrote to memory of 2700	3612	ypba.exe	sihost.exe
PID 3612 wrote to memory of 2700	3612	ypba.exe	sihost.exe
PID 3612 wrote to memory of 2700	3612	ypba.exe	sihost.exe
PID 3612 wrote to memory of 2712	3612	ypba.exe	svchost.exe
PID 3612 wrote to memory of 2712	3612	ypba.exe	svchost.exe
PID 3612 wrote to memory of 2712	3612	ypba.exe	svchost.exe
PID 3612 wrote to memory of 2712	3612	ypba.exe	svchost.exe
PID 3612 wrote to memory of 2712	3612	ypba.exe	svchost.exe
PID 3612 wrote to memory of 2804	3612	ypba.exe	taskhostw.exe
PID 3612 wrote to memory of 2804	3612	ypba.exe	taskhostw.exe
PID 3612 wrote to memory of 2804	3612	ypba.exe	taskhostw.exe
PID 3612 wrote to memory of 2804	3612	ypba.exe	taskhostw.exe
PID 3612 wrote to memory of 2804	3612	ypba.exe	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 322 IoCs

Processes:

sphinx_1.0.1.3.vir.exe

description	pid	process
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeDebugPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeDebugPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeDebugPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeDebugPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeDebugPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeDebugPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeDebugPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe
Token: SeSecurityPrivilege	3864	sphinx_1.0.1.3.vir.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3820-6-0x0000000000400000-0x00000000007A5000-memory.dmp	upx
behavioral2/memory/3820-10-0x0000000000400000-0x00000000007A5000-memory.dmp	upx
behavioral2/memory/3820-12-0x0000000000400000-0x00000000007A5000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	explorer.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2712

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2804

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.3.vir.exe
"C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.3.vir.exe"
2⤵
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344

C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.3.vir.exe
C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.3.vir.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
PID:3820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3508

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe" socksParentProxy=localhost:9050
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3616

C:\Users\Admin\AppData\Roaming\Ikxyek\ypba.exe
"C:\Users\Admin\AppData\Roaming\Ikxyek\ypba.exe"
4⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Roaming\Ikxyek\ypba.exe
C:\Users\Admin\AppData\Roaming\Ikxyek\ypba.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp926902c6.bat"
4⤵
PID:4000

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3156

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3164

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3672

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:4040

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
PID:2192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp926902c6.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Dhaka

Download Submit
C:\Users\Admin\AppData\Roaming\Ikxyek\ypba.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ikxyek\ypba.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ikxyek\ypba.exe

Download Submit
C:\Users\Admin\AppData\Roaming\LorikeetPhonograph

Download Submit
C:\Users\Admin\AppData\Roaming\System.dll

Download Submit
C:\Users\Admin\AppData\Roaming\coagulants.dll

Download Submit
C:\debug.txt

Download Submit
C:\debug.txt

Download Submit
C:\debug.txt

Download Submit
C:\debug.txt

Download Submit
C:\debug.txt

Download Submit
C:\debug.txt

Download Submit
C:\debug.txt

Download Submit
\Users\Admin\AppData\Roaming\System.dll

Download Submit
\Users\Admin\AppData\Roaming\System.dll

Download Submit
\Users\Admin\AppData\Roaming\coagulants.dll

Download Submit
\Users\Admin\AppData\Roaming\coagulants.dll

Download Submit
\Users\Admin\AppData\Roaming\coagulants.dll

Download Submit
\Users\Admin\AppData\Roaming\coagulants.dll

Download Submit
memory/2880-375-0x0000000000000000-mapping.dmp

Download
memory/2892-395-0x0000000000401130-mapping.dmp

Download
memory/2892-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2892-9-0x0000000000401130-mapping.dmp

Download
memory/2892-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3612-386-0x000000000041E945-mapping.dmp

Download
memory/3820-10-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3820-14-0x0000000006550000-0x0000000006551000-memory.dmp

Filesize
4KB

Download
memory/3820-7-0x00000000007A34B0-mapping.dmp

Download
memory/3820-196-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/3820-6-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3820-194-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/3820-391-0x00000000007A34B0-mapping.dmp

Download
memory/3820-13-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/3820-195-0x0000000006550000-0x0000000006551000-memory.dmp

Filesize
4KB

Download
memory/3820-15-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/3820-12-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3864-4-0x000000000041E945-mapping.dmp

Download
memory/3864-3-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3864-5-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/4000-389-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads