download:

/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/Dharma.exe

Full analysis: https://app.any.run/tasks/90892e47-fc6d-4c94-920a-3b9707572341
Verdict: Malicious activity
Threats:

Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.

Malware Trends Tracker     >>>
Analysis date: May 24, 2025, 13:35:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
dharma
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

928E37519022745490D1AF1CE6F336F7

SHA1:

B7840242393013F2C4C136AC7407E332BE075702

SHA256:

6FB303DD8BA36381948127D44BD8541E4A1AB8AF07B46526ACE08458F2498850

SSDEEP:

196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • SearchHost.exe (PID: 6048)

    • Starts NET.EXE to view/change users localgroup

      • cmd.exe (PID: 6372)
      • net.exe (PID: 1088)
      • net.exe (PID: 5376)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 6372)
      • net.exe (PID: 3304)

    • Starts NET.EXE to view/change login properties

      • cmd.exe (PID: 6372)
      • net.exe (PID: 5548)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 6372)
      • net.exe (PID: 5728)

    • Dharma/Crysis is detected

      • Dharma.exe (PID: 4692)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Dharma.exe (PID: 4692)

    • Drops a system driver (possible attempt to evade defenses)

      • mssql.exe (PID: 1116)

    • Executing commands from a ".bat" file

      • Dharma.exe (PID: 4692)

    • Executable content was dropped or overwritten

      • mssql.exe (PID: 1116)
      • Dharma.exe (PID: 4692)

    • Creates or modifies Windows services

      • mssql.exe (PID: 1116)

    • Starts CMD.EXE for commands execution

      • Dharma.exe (PID: 4692)
      • cmd.exe (PID: 6372)

    • Application launched itself

      • cmd.exe (PID: 6372)

    • Reads security settings of Internet Explorer

      • SearchHost.exe (PID: 6048)
      • Dharma.exe (PID: 4692)

    • Uses WMIC.EXE to obtain group account data

      • cmd.exe (PID: 1072)
      • cmd.exe (PID: 1072)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6372)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 6372)

    • Sets the service to start on system boot

      • sc.exe (PID: 5324)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 6372)

    • Uses pipe srvsvc via SMB (transferring data)

      • nc123.exe (PID: 1672)

  • INFO

    • Reads the computer name

      • Dharma.exe (PID: 4692)
      • mssql2.exe (PID: 6540)
      • SearchHost.exe (PID: 6048)
      • mssql.exe (PID: 1116)
      • nc123.exe (PID: 1672)

    • Checks supported languages

      • nc123.exe (PID: 1672)
      • mssql.exe (PID: 1116)
      • SearchHost.exe (PID: 6048)
      • mssql2.exe (PID: 6540)
      • Dharma.exe (PID: 4692)

    • Process checks computer location settings

      • Dharma.exe (PID: 4692)
      • SearchHost.exe (PID: 6048)

    • The sample compiled with english language support

      • mssql.exe (PID: 1116)
      • Dharma.exe (PID: 4692)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5864)
      • WMIC.exe (PID: 2236)

    • Reads Environment values

      • mssql.exe (PID: 1116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:06:25 10:38:29+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 155648
InitializedDataSize: 112640
UninitializedDataSize: -
EntryPoint: 0x13c60
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
34
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #DHARMA dharma.exe nc123.exe no specs conhost.exe no specs mssql.exe mssql2.exe no specs mssql2.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs searchhost.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs attrib.exe no specs netsh.exe no specs sc.exe no specs net.exe no specs net1.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664C:\WINDOWS\system32\net1 start TelnetC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1072C:\WINDOWS\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1072C:\WINDOWS\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1072reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1088net localgroup Administrators systembackup /addC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1116"C:\Users\admin\Downloads\ac\mssql.exe" C:\Users\admin\Downloads\ac\mssql.exe
Dharma.exe
User:
admin
Company:
一普明为(北京)信息技术有限公司
Integrity Level:
HIGH
Description:
Epoolsoft Windows Information View Tools
Exit code:
20
Version:
1.0.0.5
Modules
Images
c:\users\admin\downloads\ac\mssql.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1280\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1532C:\WINDOWS\system32\net1 accounts /forcelogoff:no /maxpwage:unlimitedC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1672"C:\Users\admin\Downloads\ac\nc123.exe" C:\Users\admin\Downloads\ac\nc123.exeDharma.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225786
Modules
Images
c:\users\admin\downloads\ac\nc123.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2236WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value C:\Windows\SysWOW64\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
2 221
Read events
2 000
Write events
129
Delete events
92

Modification events

(PID) Process:(4692) Dharma.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR SFX
Operation:writeName:ac
Value:
ac
(PID) Process:(1116) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mssqlaq
Operation:writeName:Type
Value:
1
(PID) Process:(1116) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mssqlaq
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(1116) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mssqlaq
Operation:writeName:Start
Value:
1
(PID) Process:(1116) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mssqlaq
Operation:writeName:ImagePath
Value:
\??\C:\Users\admin\Downloads\ac\mssqlaq.sys
(PID) Process:(1116) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mssqlaq
Operation:delete keyName:(default)
Value:
(PID) Process:(1116) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jfaeyaynohmyjxpd
Operation:writeName:Type
Value:
1
(PID) Process:(1116) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jfaeyaynohmyjxpd
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(1116) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jfaeyaynohmyjxpd
Operation:writeName:Start
Value:
1
(PID) Process:(1116) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jfaeyaynohmyjxpd
Operation:writeName:ImagePath
Value:
\??\C:\Users\admin\Downloads\ac\jfaeyaynohmyjxpd.sys
Executable files
31
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4692Dharma.exeC:\Users\admin\Downloads\ac\mssql.exeexecutable
MD5:F6A3D38AA0AE08C3294D6ED26266693F
SHA256:C522E0B5332CAC67CDE8FC84080DB3B8F2E0FE85F178D788E38B35BBE4D464AD
4692Dharma.exeC:\Users\admin\Downloads\ac\Shadow.battext
MD5:DF8394082A4E5B362BDCB17390F6676D
SHA256:DA3F155CFB98CE0ADD29A31162D23DA7596DA44BA2391389517FE1A2790DA878
4692Dharma.exeC:\Users\admin\Downloads\ac\unlocker.exeexecutable
MD5:5840AA36B70B7C03C25E5E1266C5835B
SHA256:09D7FCBF95E66B242FF5D7BC76E4D2C912462C8C344CB2B90070A38D27AAEF53
4692Dharma.exeC:\Users\admin\Downloads\ac\mssql2.exeexecutable
MD5:F7D94750703F0C1DDD1EDD36F6D0371D
SHA256:659E441CADD42399FC286B92BBC456FF2E9ECB24984C0586ACF83D73C772B45D
4692Dharma.exeC:\Users\admin\Downloads\ac\EVER\SearchHost.exeexecutable
MD5:8ADD121FA398EBF83E8B5DB8F17B45E0
SHA256:35C4A6C1474EB870EEC901CEF823CC4931919A4E963C432CE9EFBB30C2D8A413
4692Dharma.exeC:\Users\admin\Downloads\ac\nc123.exeexecutable
MD5:597DE376B1F80C06D501415DD973DCEC
SHA256:F47E3555461472F23AB4766E4D5B6F6FD260E335A6ABC31B860E569A720A5446
4692Dharma.exeC:\Users\admin\Downloads\ac\EVER\Everything.initext
MD5:5531BBB8BE242DFC9950F2C2C8AA0058
SHA256:4F03AB645FE48BF3783EB58568E89B3B3401956DD17CB8049444058DAB0634D7
1116mssql.exeC:\Users\admin\Downloads\ac\lbyceyemeoscykb.sysexecutable
MD5:B2233D1EFB0B7A897EA477A66CD08227
SHA256:5FD17E3B8827B5BB515343BC4066BE0814F6466FB4294501BECAC284A378C0DA
1116mssql.exeC:\Users\admin\Downloads\ac\yrilhdmgodwkxpsco.sysexecutable
MD5:B2233D1EFB0B7A897EA477A66CD08227
SHA256:5FD17E3B8827B5BB515343BC4066BE0814F6466FB4294501BECAC284A378C0DA
1116mssql.exeC:\Users\admin\Downloads\ac\sxywuiwuoriggrdh.sysexecutable
MD5:B2233D1EFB0B7A897EA477A66CD08227
SHA256:5FD17E3B8827B5BB515343BC4066BE0814F6466FB4294501BECAC284A378C0DA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
30
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4068
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4068
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
5496
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
4
System
192.168.100.255:138
whitelisted
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.2:445
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 23.35.229.160
whitelisted
google.com
  • 142.250.185.142
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.65
  • 40.126.32.68
  • 40.126.32.140
  • 40.126.32.72
  • 20.190.160.3
  • 20.190.160.14
  • 20.190.160.131
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/Dharma.exe