dharma | 104b4ec8a7c39ba5f87be908d86a5e4f34fce70e5ae4992f8435837c2d8fb448

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
Size

201KB
MD5

a43619354027879e0dae80878636389f
SHA1

bc7ce81b1388890a697a7480941e1659264fa462
SHA256

104b4ec8a7c39ba5f87be908d86a5e4f34fce70e5ae4992f8435837c2d8fb448
SHA512

7ea3706cb447c96c040dd397ede4c5047895a69639cd6b8524434ff71b9e0cbeb61563f0d80b464ffe0cb6088e54b618cbfbb0be50e841003aae88f0dbfb9c92
SSDEEP

6144:yw+E6shLwFZBh/kFdMyJeGbfUTpYDDmu/+3fbe:ycIZCdMy8G+pG/Ye

Score

10^/10

dharma ramnit banker credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (322) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe

Executes dropped EXE 1 IoCs

pid	Process
2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe = "C:\\Windows\\System32\\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe"	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\I618Z2Y3\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ORIYJR4N\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CW1M20CU\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N5RJMVSE\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C1JHBK4W\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PG1T8SOQ\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\691RDNCS\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Windows\System32\Info.hta	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012117-2.dat	upx
behavioral1/memory/2056-17-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2056-13-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2056-4886-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\Hearts.exe.mui.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14984_.GIF.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLIST.CHM.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\WZCNFLCT.CHM.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME19.CSS.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\Solitaire.exe.mui.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_es.dll.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02288_.WMF.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\7-Zip\History.txt.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.dub.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OMML2MML.XSL.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_off.gif.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00122_.WMF	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\background.gif.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana.css.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBOB6.CHM.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187647.WMF	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXT.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\DBGHELP.DLL	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana.css.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_italic.gif.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
File opened for modification	C:\Program Files\UndoGrant.ico.id-2FA5BF0D.[[email protected]].ONION	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2796	vssadmin.exe
548	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C565751-F4DA-11EF-B686-FA59FB4FA467} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446802231"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C53A7D1-F4DA-11EF-B686-FA59FB4FA467} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
Token: SeBackupPrivilege	792	vssvc.exe
Token: SeRestorePrivilege	792	vssvc.exe
Token: SeAuditPrivilege	792	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2684	iexplore.exe
2748	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2684	iexplore.exe
2684	iexplore.exe
1412	IEXPLORE.EXE
1412	IEXPLORE.EXE
2748	iexplore.exe
2748	iexplore.exe
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2056	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	30
PID 2644 wrote to memory of 2056	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	30
PID 2644 wrote to memory of 2056	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	30
PID 2644 wrote to memory of 2056	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	30
PID 2644 wrote to memory of 2820	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	31
PID 2644 wrote to memory of 2820	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	31
PID 2644 wrote to memory of 2820	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	31
PID 2644 wrote to memory of 2820	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	31
PID 2056 wrote to memory of 2748	2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe	32
PID 2056 wrote to memory of 2748	2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe	32
PID 2056 wrote to memory of 2748	2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe	32
PID 2056 wrote to memory of 2748	2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe	32
PID 2056 wrote to memory of 2684	2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe	33
PID 2056 wrote to memory of 2684	2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe	33
PID 2056 wrote to memory of 2684	2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe	33
PID 2056 wrote to memory of 2684	2056	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe	33
PID 2820 wrote to memory of 2548	2820	cmd.exe	35
PID 2820 wrote to memory of 2548	2820	cmd.exe	35
PID 2820 wrote to memory of 2548	2820	cmd.exe	35
PID 2820 wrote to memory of 2796	2820	cmd.exe	36
PID 2820 wrote to memory of 2796	2820	cmd.exe	36
PID 2820 wrote to memory of 2796	2820	cmd.exe	36
PID 2684 wrote to memory of 1412	2684	iexplore.exe	37
PID 2684 wrote to memory of 1412	2684	iexplore.exe	37
PID 2684 wrote to memory of 1412	2684	iexplore.exe	37
PID 2684 wrote to memory of 1412	2684	iexplore.exe	37
PID 2748 wrote to memory of 1688	2748	iexplore.exe	40
PID 2748 wrote to memory of 1688	2748	iexplore.exe	40
PID 2748 wrote to memory of 1688	2748	iexplore.exe	40
PID 2748 wrote to memory of 1688	2748	iexplore.exe	40
PID 2644 wrote to memory of 628	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	42
PID 2644 wrote to memory of 628	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	42
PID 2644 wrote to memory of 628	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	42
PID 2644 wrote to memory of 628	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	42
PID 628 wrote to memory of 2372	628	cmd.exe	44
PID 628 wrote to memory of 2372	628	cmd.exe	44
PID 628 wrote to memory of 2372	628	cmd.exe	44
PID 2644 wrote to memory of 2412	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	45
PID 2644 wrote to memory of 2412	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	45
PID 2644 wrote to memory of 2412	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	45
PID 2644 wrote to memory of 2412	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	45
PID 628 wrote to memory of 548	628	cmd.exe	46
PID 628 wrote to memory of 548	628	cmd.exe	46
PID 628 wrote to memory of 548	628	cmd.exe	46
PID 2644 wrote to memory of 4528	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	47
PID 2644 wrote to memory of 4528	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	47
PID 2644 wrote to memory of 4528	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	47
PID 2644 wrote to memory of 4528	2644	2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
  C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2748 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1688
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:340993 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1412
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2548
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2796
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2372
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:548
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:2412
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:4528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-2FA5BF0D.[[email protected]].ONION

Filesize
23.5MB

MD5
15328d94aef39315cc60ca4865fde08c

SHA1
120ca1cb46a82b04fa20d1830cce3084866a6af2

SHA256
2ae6ff4424ae7c8ed641a17d70c81e0501f64cf2c89fb4859cad2cbf5fadd2ce

SHA512
9c44ca7c12e976a7482e588d45db28127845ce66c1f8cd68603a56048d7065c5a924d3766fd30aa45fb8e381673fde8939f12e1e4acca8f209d31dfe96733c5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e12f05f8d8d77cede61797fe90f5e5a0

SHA1
2d3aee9a6ce3db99545bd1cff0f030d84e70f09b

SHA256
16aa300055255e837a150a1d9e74405b1d1f1c797594985091873edba2f5ee70

SHA512
cc87eb5501a6f24f96788f5c1888d114d6cce8fbd14ddfcb23df495ac1eee32cf737f2371aee55a19fe58350b7340f09cd8653bce572b68ff36aa2858020847b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2aac969f5effd32546b5762c3a96d5c

SHA1
18e44c78904ddf1de2d1fa9b846e2ce5f58a18c1

SHA256
54158fb4e5fbc25700d04aa6199e449d5bee3ffed1b2a4a725acba9b6936d67c

SHA512
bc789840636d1dd81e222abd42adb9d67abaaa6ccf62f3df336d51a6ddac6102cdc79c032d8d69d7f1b364517554f96a5f9fd845571009e2c6efd3aa6d7d7e4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4f9cf7820febb3ee0387c6a579da55f

SHA1
6f50653db6506b52f951aa9f368ac7c405dc264b

SHA256
f7ec837f5dfe5f658a4ceba7513a68aa7ee944a4473bef7ac2baa6ea47b9a8bc

SHA512
a8b5638999bf803ed7d212444321c6fc90f9dbb7cfceae1a7c0ae328ef2755e8774d2028583500f71cae315877624dd7e61a425911d2517eea69e76f0fe0ec49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f56a9eb73ab93d8636b7cd80d2a6a933

SHA1
841ffca7c38d1e988b0d8ec46f352c5bede7edb7

SHA256
cc3d30c3122254c26e28cb0abe1ecc2c926afb14554f7830ae23d6fc6b6c273e

SHA512
660309d01041b8e9221fbd40fa21814e02d0925bff533b7d1b1230dd10809404667506e85945a6ffab56e27eeca8662304d29d394150f47152c62244bfc709aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c3270b6cebca2225482df22a9d8da9a

SHA1
ad2f57f2f69bea4dc27bb2e5bd82472efd4c200c

SHA256
2371da6d94b6b12859bf72e0cad5fbb8455403aaa76342f68833e4f6c26463b6

SHA512
eba52da66e43eacaf5416ca9a42f5d458632951d4881431583cf879ca4556303b0af4b86d8769f005ec9bfa2901b9c785d026cda3d767e0faf6ee811bab6029e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef12a3ae5b73791444fb8c76397e46eb

SHA1
466e4c1b53fbbec9e66c7a1e05215d7e1a867e45

SHA256
172cca3dde576cf864acb187b8c9637010f2e9ef04351a12f9b9265f32b01673

SHA512
deee10694b66567c029bf1d80aa6ce6f8f0baf696a8f05b51cd1e5372d8cf6a44480472a2eba4c036acb989eddebf75a0f2c705853a178b38ec61818e7a1c10d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
099a22127b4d1f22f1796740768845d6

SHA1
60305244be83c66e927dc16508d5be95d7286ede

SHA256
4fc614b1df6ee524dd5223d4f88566fd19ae0741f0c7819d5fac63c48006feca

SHA512
d0e7b9901a2d596b94c91da79c2038cfa15804157926ed537c258edf23283cc8a1f41b96fda4ce018062b3ba2444bc231fd8b735a1421b51ea86148cb5135df4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc68a942c078445d3599fc39cc5bb8ae

SHA1
a4749bb6252adcf48a03da73e4ef8ec84117e87e

SHA256
6d9e360bb2ecb0aabe2fcb569034e4ed38c8bff66cfe89da744d1c7678cc61b0

SHA512
38080cbcb7192aa127a806b3ba3de67c6f778343e00ab1cb6e3e2859fb4db72bf5daea64715029771c6020bd7bfa325a5b936c7a81b045ee44b171a33620f1b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
40e1c05cbe87ecdc4651eea94b9600aa

SHA1
31d4ed9a8ebec64a7dfcc793affe21995b5ed20b

SHA256
56ec1cff345ddaa2f6d64da3166ecc6e535189832d1ef4553b23fc3f6955962f

SHA512
1fd82012e4230b3a01a30a6ded2cc127db2d82876078eeb9f1ae002f9fe688692c0db4fe0249748a9bc60683ac54fc3c8a4a6d02e4d4f9d4daee8d6fa95d7804

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1217ae7c0b0ec4443acbbe4f4c333ed

SHA1
744c005b786b6db9f6ace3e24c2ff72fc88dadf0

SHA256
dba945f99722faf52804723df17530109629a546fded227ef96669e2d46546d4

SHA512
16c7a762b805fcc04f457b6b30292c661dd2775863388d07d8ffbf5226bf7d4b912df31587b7276f300c2ca2856a6a0c744363ff507faab20b31a41e8d6980e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2d0f3984202a74fbdc4a36dd4466e0e6

SHA1
217bba13a4d1827b9a947788637bdb38f1856202

SHA256
ead4ede833059021fcacc39e6918e1f9095e8bddad725b3256c99e66c503a2a0

SHA512
48620c0ebde9f17b4c4a14d8427bf37d95284d869bc8b6a37cd2f7ce859a920daed355f98a6c44e16ca063fd43c71a6d22fddf037fa4f97a8da25159fee3decd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
936e1484063a3951b28b83ff267ec9d4

SHA1
db1e2378767af72e9598505d8b0d097583cdbd54

SHA256
fa2d88ba40cdf1e85436d491a8c77d705edf9fde8802897560f9817c5cf25346

SHA512
e6a387e3af748f98cdb4c4376ac621b19b54836ff9b307cc584290b1c578a4d4ba6b8f75b551feb69a1fd1e465ad5650d646cd219a83ab81dd1e0d8865105160

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95e313c9d5e377b4fb4c40d15641e515

SHA1
544e9428d633d29156bbf9d2dab1fb940b2c7fea

SHA256
edd035e57dedcd83ffcfd1142f57c7b09028f2a743ad5efb7322da6e893f6ec0

SHA512
ef88b6efa2f6f65c91e05b9a705607eb8498312035d36c116cb1db1828cc4f0779a4c4d9d88f7a9ca8532e5ca12683bea86aeb5de527d4f41725523a95112d48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
36b7232f320bcb7a339bb9d285eefdb0

SHA1
b9c25751105cda3f1185f9eaa4b33f4b8d076216

SHA256
a7df0b5e1320fb1acacf8da3a66d5cd4b23198ef7dc324916e4e4e428220c1ed

SHA512
2b94321fb5700fa4c37564f06264f59a6afff9c8606e0ec0889a567128cfc2aa639ea242a2fddbf80451235ac9a5e77643fa9edc601790ba81113b93b61cc702

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb4f59e077c93908043436e19ff5b994

SHA1
a3c06f3e13ad3c92f001819ab3aaa284013fcf62

SHA256
a5b320ad5f2f99fac6b412dd71014216ae0ecfd730bcc6196295e1c46db46cf4

SHA512
bff7e875e5c8d827cf2b57a72ae112d4b848e0156971a427a4986c4b325c8a36eb2d797fb8b932459594480bf1bd06cc1ac944a3a8c7f2a7a175c595d42415b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e8fa5912fd5448a07fb70f4a5ac000b

SHA1
be420b6fe1d88c6fc5425bebdb487bbb3df546a7

SHA256
7cc338135877c3adc55f327eac2b9a0d05a9c2fc3ff906ffcd6378b66b95f637

SHA512
5fdde380f3f1f7204844a69260d98e1796eacf7061a53739e2a8a451715fe2f5547b92077c1ecafde32edb9a4bec1528344b4f270d34ad6764b9511df67b1dbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d041dcfee8bf81b431eaa8295356a4a

SHA1
b159371628b5a916ceea889cf95734ae0dfe12a0

SHA256
f6ee457627e9315bf9d1e9223718d75061ebd251ef248ea311edde4cf1dba92b

SHA512
a52b521732469cce24e52749e00bdca5804a5e067300a95cf15a56cbb5cb55edb3c99d0f6236bced39538b9db442f796aca879597065e95a725f052aa249aa75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a405be5bbc74ae95551f6f484838b411

SHA1
76a412937eaf8ed39ef4a72be8cb94fe604e8a2a

SHA256
09a3574b6626bd1dffe2a9bbabf792ed75e73a650a1d03e630f5f058a2d49ed0

SHA512
b19d5bba0551d2461cd427b922f09b76308f3f0bb2fff5fee145dfe183b9f97c905c7b5e69d8370baaa406c342a140df061af5fb57c90b89ec94a921c1a8a142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b31469e264fe8cefa40d9088dc2a7b90

SHA1
658e5558d947ed894e1998bd99a63ae8cab1a057

SHA256
51dbadc166dc872b437de6db25337b045b166d7325b7ba8032d9f60cc462fd9f

SHA512
117e53e8182ae7cfd730639811c0fecd0aeab8797ed3c796bece12ed88f69ebd0bbae140e9ef0d5941489f8c4b9ea574675adf58a4145972db2db8378b1eb46f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3C53A7D1-F4DA-11EF-B686-FA59FB4FA467}.dat

Filesize
5KB

MD5
eab51ab0b26bf8ff49c7aa3511fb34be

SHA1
0b38e5c0d8d0adb32a46fc0dc8149a5c6ff98b29

SHA256
8a70ded19f38fa963d1e2ec62b15070b76f896f89bba772c4f3636e9ecd54690

SHA512
83d6290189283847d8a390e3d49c5c18f4ee656f18aec8e5288eedc771d312911ee1f03f9a57fb4b5b3624c86aa55205d2ca5a6ace20620c7555107c7a7a49a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDE9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF08.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
7KB

MD5
5cc339b6f9e6be19fb91470cef3d7ab8

SHA1
2197fc33068718ddb3967568b10b280d43adcee8

SHA256
58224d84bd336e58ca0173de1ea65d2e4df60ea98ae6d4c8f34cc6fecab4cbe5

SHA512
5f7960154f2e36a513e2ffa6921a2a25ee805af42a78d735807c0e54fd3b0c85aae3154c2248ffec4ad2f800d26d9934c4bfb71979438f33c18a49516a03d4ef

Download Submit
\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
memory/2056-4886-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2056-17-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2056-16-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2056-14-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2056-13-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2056-15-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-8-0x0000000000440000-0x000000000049D000-memory.dmp

Filesize
372KB

Download
memory/2644-21340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download