Indicators of Compromise
Updated Shadowpad Malware Leads to Ransomware Deployment

Domain Name
updata.dsqurey.com
time.dsqurey.com
dscriy.chtq.net
system.chtq.net
updata.chtq.net
network.oossafe.com
notes.oossafe.com
caba.superdasqe.me
ccs.superdasqe.me
czs.superdasqe.me
kzb.superdasqe.me

Shadowpad loaders
SHA256									Filename
8d44f2f442ca8f2fbbf75086a6f8d518c300ca93fe9957a9716076919b475865	SentinelAgentCore.dll
83c1a668ab06f55e6879593ca24eed9f78832be97ac90bb74ef5828067f2d900	SentinelAgentCore.dll
c19be7a006bd2ba8deb56dcc6127a76f9624c6f1392a1794870dbed6f1a81bd5	SentinelAgentCore.dll
c4db25ab55af2e943a297a5ecf7a62acc3ad8897ec8ba4ab3226a138da237b82	logexts.dll
28e6362ecf033b2a26c7457dcbd7ad2ab34e253fb08666d39073391a1254ea41	logexts.dll
7416f6b69b34b3a36a86e50808e1dc47f4dc665bfd6f394cef65e0ba5eaf961b	logexts.dll
bc490047fe6e0b0000c6cd147d3cf483105c92cf00450bfe35ac70f276a9e5c8	logexts.dll
c5f8a256d0969e253633160b9728b6c2bc044f536e92af178a05a598aaa09c1f	logexts.dll
a2bb321d41b2300e80f9400950fa2125470d5b3927933ab4d6397f0cbf81532a	logexts.dll
d74b6b2129936377aaccc619bcfd4df4ffbe2f35f960a4b043b23ae78a31ec35	logexts.dll
366ea3377eaefa28b655b530710c03fb2ace67bb531b1820e916cb02023892ba	logexts.dll
f8915c5be0649642dac22572355f1462972f5087471f66f6a243f2374b208eb8	logexts.dll
b38dab1ee402f731313d697d5d79372ae97fcab5704077771b5b82e705e0cd6d	nView64.dll
625ed0e0ad7d3fbf2738349c767a7990c9f0d388de66104e11df3e0c4632033c	nView64.dll
431a630983cd327fc70ea49b3a5497a179dbde19d8f13d2cfceef4e47613024b	nView64.dll
e1d72b0cfc3342b8a6436e3047c3cc54246c346ac179e459d07620d192ba6e01	nView64.dll
fa7f2ddf91980d639a87465bd2a38eaa44d6079b11ace3b2b3dff03caed66de5	nView64.dll
b28bc39e569aa0cfe984c341830cb037c5305877ba22a940c3bdaeb43ca87878	FmApp.dll
571607c7f55c3616e4c58db15e3d55317da10294dbc10e0cd1ed24879b8fc051	CmLOC.dll
bc5b2ef81593095696433877cccb0ab75ef942258ef4795de5538df842d952f4	CmLOC.dll
fa3a3351cd55089d40a7311e4bfaf15e4247416f78383d94ad58809467429b3e	syncapp.dll
2df4c7bfa608ca88d9d659358894226910850ac0d7e566c6c10ec2727361d47b	codeLOC.dll
b66660dfe1ce69f706aaa412fcd3ff18554d604df59c09adc2a8117417967ce9	roboform-x64.dll

Ransomware
SHA256									Filename
7b8ea6b1e2a29190cb28fc98ef837bf4a7a0b71b84177ce9395a5113a843c4d3	sensapi.dll
de4bb30e400f081601d4091206ba6c04ac502f50e0dbac879db8c0202bff8108	sensapi.dll
5dc36e687a7fa3cfbf845e8a53173f37ac38559b6b87f9dcf609a72b3f284035	sensapi.dll
37039a761114251f4556e4fe41c3ec01b7206a483c4698ffe5a0f1617a8bc26b	sensapi.dll
fcb8bf42d852526214578ab4b477b29f2412a7a931c6353db4fa6c221661edf4	sensapi.dll

Post-exploitation tool
SHA256									Comment
ceac8b67f19d596b2c2f34d682f88c717d11dd4c1144e2e7439b6bb78adb1736	CQHashDump tool