Malware Analysis Report

2025-03-14 23:59

Sample ID 250227-h1vyns1ls8
Target 2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit
SHA256 104b4ec8a7c39ba5f87be908d86a5e4f34fce70e5ae4992f8435837c2d8fb448
Tags
dharma ramnit banker credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

104b4ec8a7c39ba5f87be908d86a5e4f34fce70e5ae4992f8435837c2d8fb448

Threat Level: Known bad

The file 2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit was found to be: Known bad.

Malicious Activity Summary

dharma ramnit banker credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx worm

Dharma

Ramnit family

Dharma family

Ramnit

Renames multiple (658) files with added filename extension

Renames multiple (322) files with added filename extension

Deletes shadow copies

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Browser Information Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-27 07:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-27 07:12

Reported

2025-02-27 07:15

Platform

win7-20240903-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe"

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (322) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe = "C:\\Windows\\System32\\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe" C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\I618Z2Y3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ORIYJR4N\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CW1M20CU\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N5RJMVSE\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C1JHBK4W\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PG1T8SOQ\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\691RDNCS\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\fr-FR\Hearts.exe.mui.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14984_.GIF.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLIST.CHM.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\WZCNFLCT.CHM.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME19.CSS.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\fr-FR\Solitaire.exe.mui.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_es.dll.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02288_.WMF.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.dub.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OMML2MML.XSL.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_off.gif.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00122_.WMF C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\background.gif.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana.css.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBOB6.CHM.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187647.WMF C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXT.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\DBGHELP.DLL C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana.css.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_italic.gif.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\UndoGrant.ico.id-2FA5BF0D.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C565751-F4DA-11EF-B686-FA59FB4FA467} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446802231" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C53A7D1-F4DA-11EF-B686-FA59FB4FA467} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 2644 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 2644 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 2644 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 2644 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2820 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2820 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2820 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2820 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2820 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2820 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2684 wrote to memory of 1412 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2684 wrote to memory of 1412 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2684 wrote to memory of 1412 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2684 wrote to memory of 1412 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 1688 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 1688 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 1688 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 1688 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2644 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 628 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 628 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 628 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2644 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2644 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2644 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2644 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 628 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 628 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 628 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2644 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2644 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2644 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2644 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:340993 /prefetch:2

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2748 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2644-1-0x0000000000400000-0x0000000000434000-memory.dmp

\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

MD5 d5ca6e1f080abc64bbb11e098acbeabb
SHA1 1849634bf5a65e1baddddd4452c99dfa003e2647
SHA256 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae
SHA512 aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

memory/2056-15-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2056-17-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2056-16-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2056-14-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2644-8-0x0000000000440000-0x000000000049D000-memory.dmp

memory/2056-13-0x0000000000400000-0x000000000045D000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-2FA5BF0D.[[email protected]].ONION

MD5 15328d94aef39315cc60ca4865fde08c
SHA1 120ca1cb46a82b04fa20d1830cce3084866a6af2
SHA256 2ae6ff4424ae7c8ed641a17d70c81e0501f64cf2c89fb4859cad2cbf5fadd2ce
SHA512 9c44ca7c12e976a7482e588d45db28127845ce66c1f8cd68603a56048d7065c5a924d3766fd30aa45fb8e381673fde8939f12e1e4acca8f209d31dfe96733c5c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3C53A7D1-F4DA-11EF-B686-FA59FB4FA467}.dat

MD5 eab51ab0b26bf8ff49c7aa3511fb34be
SHA1 0b38e5c0d8d0adb32a46fc0dc8149a5c6ff98b29
SHA256 8a70ded19f38fa963d1e2ec62b15070b76f896f89bba772c4f3636e9ecd54690
SHA512 83d6290189283847d8a390e3d49c5c18f4ee656f18aec8e5288eedc771d312911ee1f03f9a57fb4b5b3624c86aa55205d2ca5a6ace20620c7555107c7a7a49a5

memory/2056-4886-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDE9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarF08.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f56a9eb73ab93d8636b7cd80d2a6a933
SHA1 841ffca7c38d1e988b0d8ec46f352c5bede7edb7
SHA256 cc3d30c3122254c26e28cb0abe1ecc2c926afb14554f7830ae23d6fc6b6c273e
SHA512 660309d01041b8e9221fbd40fa21814e02d0925bff533b7d1b1230dd10809404667506e85945a6ffab56e27eeca8662304d29d394150f47152c62244bfc709aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c3270b6cebca2225482df22a9d8da9a
SHA1 ad2f57f2f69bea4dc27bb2e5bd82472efd4c200c
SHA256 2371da6d94b6b12859bf72e0cad5fbb8455403aaa76342f68833e4f6c26463b6
SHA512 eba52da66e43eacaf5416ca9a42f5d458632951d4881431583cf879ca4556303b0af4b86d8769f005ec9bfa2901b9c785d026cda3d767e0faf6ee811bab6029e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef12a3ae5b73791444fb8c76397e46eb
SHA1 466e4c1b53fbbec9e66c7a1e05215d7e1a867e45
SHA256 172cca3dde576cf864acb187b8c9637010f2e9ef04351a12f9b9265f32b01673
SHA512 deee10694b66567c029bf1d80aa6ce6f8f0baf696a8f05b51cd1e5372d8cf6a44480472a2eba4c036acb989eddebf75a0f2c705853a178b38ec61818e7a1c10d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 099a22127b4d1f22f1796740768845d6
SHA1 60305244be83c66e927dc16508d5be95d7286ede
SHA256 4fc614b1df6ee524dd5223d4f88566fd19ae0741f0c7819d5fac63c48006feca
SHA512 d0e7b9901a2d596b94c91da79c2038cfa15804157926ed537c258edf23283cc8a1f41b96fda4ce018062b3ba2444bc231fd8b735a1421b51ea86148cb5135df4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc68a942c078445d3599fc39cc5bb8ae
SHA1 a4749bb6252adcf48a03da73e4ef8ec84117e87e
SHA256 6d9e360bb2ecb0aabe2fcb569034e4ed38c8bff66cfe89da744d1c7678cc61b0
SHA512 38080cbcb7192aa127a806b3ba3de67c6f778343e00ab1cb6e3e2859fb4db72bf5daea64715029771c6020bd7bfa325a5b936c7a81b045ee44b171a33620f1b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40e1c05cbe87ecdc4651eea94b9600aa
SHA1 31d4ed9a8ebec64a7dfcc793affe21995b5ed20b
SHA256 56ec1cff345ddaa2f6d64da3166ecc6e535189832d1ef4553b23fc3f6955962f
SHA512 1fd82012e4230b3a01a30a6ded2cc127db2d82876078eeb9f1ae002f9fe688692c0db4fe0249748a9bc60683ac54fc3c8a4a6d02e4d4f9d4daee8d6fa95d7804

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2aac969f5effd32546b5762c3a96d5c
SHA1 18e44c78904ddf1de2d1fa9b846e2ce5f58a18c1
SHA256 54158fb4e5fbc25700d04aa6199e449d5bee3ffed1b2a4a725acba9b6936d67c
SHA512 bc789840636d1dd81e222abd42adb9d67abaaa6ccf62f3df336d51a6ddac6102cdc79c032d8d69d7f1b364517554f96a5f9fd845571009e2c6efd3aa6d7d7e4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4f9cf7820febb3ee0387c6a579da55f
SHA1 6f50653db6506b52f951aa9f368ac7c405dc264b
SHA256 f7ec837f5dfe5f658a4ceba7513a68aa7ee944a4473bef7ac2baa6ea47b9a8bc
SHA512 a8b5638999bf803ed7d212444321c6fc90f9dbb7cfceae1a7c0ae328ef2755e8774d2028583500f71cae315877624dd7e61a425911d2517eea69e76f0fe0ec49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

MD5 5cc339b6f9e6be19fb91470cef3d7ab8
SHA1 2197fc33068718ddb3967568b10b280d43adcee8
SHA256 58224d84bd336e58ca0173de1ea65d2e4df60ea98ae6d4c8f34cc6fecab4cbe5
SHA512 5f7960154f2e36a513e2ffa6921a2a25ee805af42a78d735807c0e54fd3b0c85aae3154c2248ffec4ad2f800d26d9934c4bfb71979438f33c18a49516a03d4ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1217ae7c0b0ec4443acbbe4f4c333ed
SHA1 744c005b786b6db9f6ace3e24c2ff72fc88dadf0
SHA256 dba945f99722faf52804723df17530109629a546fded227ef96669e2d46546d4
SHA512 16c7a762b805fcc04f457b6b30292c661dd2775863388d07d8ffbf5226bf7d4b912df31587b7276f300c2ca2856a6a0c744363ff507faab20b31a41e8d6980e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b31469e264fe8cefa40d9088dc2a7b90
SHA1 658e5558d947ed894e1998bd99a63ae8cab1a057
SHA256 51dbadc166dc872b437de6db25337b045b166d7325b7ba8032d9f60cc462fd9f
SHA512 117e53e8182ae7cfd730639811c0fecd0aeab8797ed3c796bece12ed88f69ebd0bbae140e9ef0d5941489f8c4b9ea574675adf58a4145972db2db8378b1eb46f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d0f3984202a74fbdc4a36dd4466e0e6
SHA1 217bba13a4d1827b9a947788637bdb38f1856202
SHA256 ead4ede833059021fcacc39e6918e1f9095e8bddad725b3256c99e66c503a2a0
SHA512 48620c0ebde9f17b4c4a14d8427bf37d95284d869bc8b6a37cd2f7ce859a920daed355f98a6c44e16ca063fd43c71a6d22fddf037fa4f97a8da25159fee3decd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 936e1484063a3951b28b83ff267ec9d4
SHA1 db1e2378767af72e9598505d8b0d097583cdbd54
SHA256 fa2d88ba40cdf1e85436d491a8c77d705edf9fde8802897560f9817c5cf25346
SHA512 e6a387e3af748f98cdb4c4376ac621b19b54836ff9b307cc584290b1c578a4d4ba6b8f75b551feb69a1fd1e465ad5650d646cd219a83ab81dd1e0d8865105160

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95e313c9d5e377b4fb4c40d15641e515
SHA1 544e9428d633d29156bbf9d2dab1fb940b2c7fea
SHA256 edd035e57dedcd83ffcfd1142f57c7b09028f2a743ad5efb7322da6e893f6ec0
SHA512 ef88b6efa2f6f65c91e05b9a705607eb8498312035d36c116cb1db1828cc4f0779a4c4d9d88f7a9ca8532e5ca12683bea86aeb5de527d4f41725523a95112d48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36b7232f320bcb7a339bb9d285eefdb0
SHA1 b9c25751105cda3f1185f9eaa4b33f4b8d076216
SHA256 a7df0b5e1320fb1acacf8da3a66d5cd4b23198ef7dc324916e4e4e428220c1ed
SHA512 2b94321fb5700fa4c37564f06264f59a6afff9c8606e0ec0889a567128cfc2aa639ea242a2fddbf80451235ac9a5e77643fa9edc601790ba81113b93b61cc702

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb4f59e077c93908043436e19ff5b994
SHA1 a3c06f3e13ad3c92f001819ab3aaa284013fcf62
SHA256 a5b320ad5f2f99fac6b412dd71014216ae0ecfd730bcc6196295e1c46db46cf4
SHA512 bff7e875e5c8d827cf2b57a72ae112d4b848e0156971a427a4986c4b325c8a36eb2d797fb8b932459594480bf1bd06cc1ac944a3a8c7f2a7a175c595d42415b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e12f05f8d8d77cede61797fe90f5e5a0
SHA1 2d3aee9a6ce3db99545bd1cff0f030d84e70f09b
SHA256 16aa300055255e837a150a1d9e74405b1d1f1c797594985091873edba2f5ee70
SHA512 cc87eb5501a6f24f96788f5c1888d114d6cce8fbd14ddfcb23df495ac1eee32cf737f2371aee55a19fe58350b7340f09cd8653bce572b68ff36aa2858020847b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e8fa5912fd5448a07fb70f4a5ac000b
SHA1 be420b6fe1d88c6fc5425bebdb487bbb3df546a7
SHA256 7cc338135877c3adc55f327eac2b9a0d05a9c2fc3ff906ffcd6378b66b95f637
SHA512 5fdde380f3f1f7204844a69260d98e1796eacf7061a53739e2a8a451715fe2f5547b92077c1ecafde32edb9a4bec1528344b4f270d34ad6764b9511df67b1dbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d041dcfee8bf81b431eaa8295356a4a
SHA1 b159371628b5a916ceea889cf95734ae0dfe12a0
SHA256 f6ee457627e9315bf9d1e9223718d75061ebd251ef248ea311edde4cf1dba92b
SHA512 a52b521732469cce24e52749e00bdca5804a5e067300a95cf15a56cbb5cb55edb3c99d0f6236bced39538b9db442f796aca879597065e95a725f052aa249aa75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a405be5bbc74ae95551f6f484838b411
SHA1 76a412937eaf8ed39ef4a72be8cb94fe604e8a2a
SHA256 09a3574b6626bd1dffe2a9bbabf792ed75e73a650a1d03e630f5f058a2d49ed0
SHA512 b19d5bba0551d2461cd427b922f09b76308f3f0bb2fff5fee145dfe183b9f97c905c7b5e69d8370baaa406c342a140df061af5fb57c90b89ec94a921c1a8a142

memory/2644-21340-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-27 07:12

Reported

2025-02-27 07:15

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe"

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (658) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe = "C:\\Windows\\System32\\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe" C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2593460650-190333679-3676257533-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2593460650-190333679-3676257533-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-latn-cs\mso.acl C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\platform_format.lua C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\oneds.dll.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\main.css.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\main.css.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\es-419.pak.DATA.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ArchiveToastQuickAction.scale-80.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODTXT.DLL C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected.svg.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-tool-view.js.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ar_get.svg C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.Edit.Services.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\holiday_weather.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-tool-view.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr\default.jfc C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-libraryloader-l1-1-0.dll.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\be_get.svg.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\autofill_labeling.ort.DATA C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xsl C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\ui-strings.js.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Security.Cryptography.X509Certificates.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Toast.svg.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\ui-strings.js.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\plugin.js.id-71C92CD8.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3284 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 3284 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 3284 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 3284 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 3284 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 5824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2852 wrote to memory of 5824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2852 wrote to memory of 6872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2852 wrote to memory of 6872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3284 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 3284 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 5840 wrote to memory of 8992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5840 wrote to memory of 8992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5840 wrote to memory of 6312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5840 wrote to memory of 6312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3284 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 3284 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 3284 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 3284 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3600 -ip 3600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 268

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

Network

Files

memory/3284-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

MD5 d5ca6e1f080abc64bbb11e098acbeabb
SHA1 1849634bf5a65e1baddddd4452c99dfa003e2647
SHA256 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae
SHA512 aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

memory/3600-4-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3600-6-0x00000000005B0000-0x00000000005B1000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-71C92CD8.[[email protected]].ONION

MD5 5aa63ed45cbce51869994e25572a9893
SHA1 c0a99ad485b5243b1d6a159e10dd97ca730f6722
SHA256 709fda228f56a21807406bbc89221327688f271174f9205db0de6ed3b86aa808
SHA512 6dda3e850a6fec49453bd6e5d91dd3d4fde6b1fde4e33e49c8667ccbe15f721986ba7273d8337884d30893c4af984a6e398446ae392ec6437bfe95f36420adda

memory/3600-7566-0x0000000000400000-0x000000000045D000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

MD5 aaae2b73a03ffcdf5dc7a12293790957
SHA1 912c818917254b58b89e060703ec257f4bdd7767
SHA256 6128cda9dae301c0cc5741e3d22e348900c5c9dfce773a1a72166ae0b7744945
SHA512 461620f4030e4f4c0f6b9219416fb4b6f73241926ec67052441fec39c70cf26c92af262c459cf91c3542c602a63d811fb86918ecf2b36c79cd991193e36783c8

memory/3284-25552-0x0000000000400000-0x0000000000434000-memory.dmp