dharma | 590d3c67a0d4bdcfdabdc579ba3ef3e035144c7b422af7d083d30f6f53ce7cc4

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
Size

200KB
MD5

8f55ce9352a6fb03e3d87f8ed1ffaa7f
SHA1

1c5d21857b4329fee9257d8608134b2f94ea149c
SHA256

590d3c67a0d4bdcfdabdc579ba3ef3e035144c7b422af7d083d30f6f53ce7cc4
SHA512

3d2dfa038b24aa2e4bfdcef334fbe03679a9c56fcbc47267fb4dd4e2cdbd6906c2711c82573399ee7a91932ac5cec998b9053ffdd68ae61f8f4802d0d48c4b6e
SSDEEP

6144:yw+E6shLjgYIz+X303peGbfUTpYDDmu/+3fbY:ycjgLzs0sG+pG/YY

Score

10^/10

dharma ramnit banker credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe

Executes dropped EXE 1 IoCs

pid	Process
1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe

Loads dropped DLL 2 IoCs

pid	Process
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe = "C:\\Windows\\System32\\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe"	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MT4W94IX\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T1DP8V76\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QMPQWRBT\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGWF8QWZ\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BY17T927\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AQYH36ZT\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Windows\System32\Info.hta	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000120d6-2.dat	upx
behavioral1/memory/1944-11-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1944-16-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1944-19-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1944-4260-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_OFF.GIF.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00194_.WMF.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01040_.WMF.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ModifiedTelespace.ico.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086426.WMF	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0278702.WMF.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_fi.dll.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IO.Log.Resources.dll	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00487_.WMF.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime.css.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN010.XML.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238927.WMF	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099205.WMF.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_on.gif	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_uk.dll.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00712_.WMF.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RMNSQUE.ELM.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow.css.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD.DPV.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Montreal	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00638_.WMF	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\THMBNAIL.PNG	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP.id-DC47B53E.[[email protected]].IPM	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.dll	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2844	vssadmin.exe
4040	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09F5E831-F4D9-11EF-9DC4-5A85C185DB3E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09F84991-F4D9-11EF-9DC4-5A85C185DB3E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446801730"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
Token: SeBackupPrivilege	2624	vssvc.exe
Token: SeRestorePrivilege	2624	vssvc.exe
Token: SeAuditPrivilege	2624	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2188	iexplore.exe
2348	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2188	iexplore.exe
2188	iexplore.exe
2348	iexplore.exe
2348	iexplore.exe
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1944	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	30
PID 1836 wrote to memory of 1944	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	30
PID 1836 wrote to memory of 1944	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	30
PID 1836 wrote to memory of 1944	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	30
PID 1836 wrote to memory of 2660	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	31
PID 1836 wrote to memory of 2660	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	31
PID 1836 wrote to memory of 2660	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	31
PID 1836 wrote to memory of 2660	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	31
PID 1944 wrote to memory of 2348	1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe	32
PID 1944 wrote to memory of 2348	1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe	32
PID 1944 wrote to memory of 2348	1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe	32
PID 1944 wrote to memory of 2348	1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe	32
PID 1944 wrote to memory of 2188	1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe	33
PID 1944 wrote to memory of 2188	1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe	33
PID 1944 wrote to memory of 2188	1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe	33
PID 1944 wrote to memory of 2188	1944	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe	33
PID 2660 wrote to memory of 2240	2660	cmd.exe	35
PID 2660 wrote to memory of 2240	2660	cmd.exe	35
PID 2660 wrote to memory of 2240	2660	cmd.exe	35
PID 2188 wrote to memory of 2840	2188	iexplore.exe	36
PID 2188 wrote to memory of 2840	2188	iexplore.exe	36
PID 2188 wrote to memory of 2840	2188	iexplore.exe	36
PID 2188 wrote to memory of 2840	2188	iexplore.exe	36
PID 2660 wrote to memory of 2844	2660	cmd.exe	37
PID 2660 wrote to memory of 2844	2660	cmd.exe	37
PID 2660 wrote to memory of 2844	2660	cmd.exe	37
PID 2348 wrote to memory of 2640	2348	iexplore.exe	39
PID 2348 wrote to memory of 2640	2348	iexplore.exe	39
PID 2348 wrote to memory of 2640	2348	iexplore.exe	39
PID 2348 wrote to memory of 2640	2348	iexplore.exe	39
PID 1836 wrote to memory of 4144	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	43
PID 1836 wrote to memory of 4144	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	43
PID 1836 wrote to memory of 4144	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	43
PID 1836 wrote to memory of 4144	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	43
PID 4144 wrote to memory of 584	4144	cmd.exe	45
PID 4144 wrote to memory of 584	4144	cmd.exe	45
PID 4144 wrote to memory of 584	4144	cmd.exe	45
PID 1836 wrote to memory of 1560	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	46
PID 1836 wrote to memory of 1560	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	46
PID 1836 wrote to memory of 1560	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	46
PID 1836 wrote to memory of 1560	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	46
PID 4144 wrote to memory of 4040	4144	cmd.exe	47
PID 4144 wrote to memory of 4040	4144	cmd.exe	47
PID 4144 wrote to memory of 4040	4144	cmd.exe	47
PID 1836 wrote to memory of 212	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	48
PID 1836 wrote to memory of 212	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	48
PID 1836 wrote to memory of 212	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	48
PID 1836 wrote to memory of 212	1836	2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe	48

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
  C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2640
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2840
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2240
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2844
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:584
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4040
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:1560
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id-DC47B53E.[[email protected]].IPM

Filesize
24.4MB

MD5
041b16e994440cb0d5105d441f24a482

SHA1
9607fe46e41cde0dbb1ed3f60335d9d41c3220c3

SHA256
c1d5593aa8c51eae82e0c4223305226f7df7c12dc3019b0aefa60f1e0829a46a

SHA512
b0dde25edfc35664a65d63954a5617f8b4ef29d988196a7bb7bf335569f27a6d914a995f4d54d3b921948d42b854cd19425cc22daf1c73976373650a8f68a642

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
7KB

MD5
6992df89164a48b9850dbcfd6c20a5d4

SHA1
10e8704bd45f64c9cfee84b1ee9ff108195d0cfd

SHA256
4243cf7b617b710e8cf7ca7e075722c3a0d7f5545a5748317f968d02f4b3eaef

SHA512
6a7eab8c1c72dfd0a459649fabebaf9a4910ab77c06adb09c2d9cf5c636a2d0d6c37ba222356e9943a2b75cc6dce57cd5128d168267413a3c71ee161cd26cfcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1ae73f4e6ad23ac196ac3804c71e5bd

SHA1
c2e76e37ed2c353fb79255c0b66a9a939a7e74f1

SHA256
efc864af78ca124dfa6675b2b40b88cd00968cba0d7a82faee65f517ad8c58d5

SHA512
a3e82df830ffb0a5a6e3db644cee0012fc9566b156c5a67a7d957cb63b2c8e3cf8b45ba07fdb318ff92f5daf61749eda81d5b3255449941460490c291d614ca9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a0452574fc5add013a99858fe89e514

SHA1
f51ab9aa2b343968f7a14df806f3c9e54b02cc23

SHA256
0df342ed6fcf3cfab369fdb2fa816aef6399e118faea7d67dca241658211b459

SHA512
2a2288ebdcc8cd064cd5e49a4e3915dbac0bc91b50edaaf12f3a5c4d90087c701bdf2f675540ce6029972be267e4f75953d3cae78d8bd7a1060ca3e50907e8eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afd0c41746130083b1c27d07f0568a9f

SHA1
59496e07bd01f65a2abe8c3c0fff1d388786be8b

SHA256
4eac5dead206119f55efe41aa8d1ac70e07631a53497692243714cc27ebcd636

SHA512
94fd62fbad6391dc6656ab3607168a5781479f95b71f6dbf6d6bc417fe69544ab851f5eee978300724b96b3367ba1e59974f5b25fd3b93109ef687a34bfeb501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6f3f7a5dee0eacbfe091c994e9d5105c

SHA1
72a35b619fc549603a924441763b1e4236e18254

SHA256
5f54f9aebb48dcd9641f20529e41f96bb510f8e8b7803a52c354045ffc3d3235

SHA512
9cd29a4d1a11eeb387f9d7356b4175b2ecce73d8e3144541fdea28d3653d7db45d9b9815b5ff3f4ff83274600f4b61411075bb9863c3cbdeb6a54fae400806c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
998efb4923a7cd226aae706c8ce1ae06

SHA1
dceae1cde92e32b4195971e117ccc55810773b21

SHA256
8a6f1187e1dc72f3ac458400e73abca1910231596c7e8bc4db7ada137a5d3d85

SHA512
490847ad761be5954f80c6efcdbd667f127781e3a82d1eaa1c375812e98f8c57998d222a16681df3fbcd60145dc0184efb328b0c424c9700747f75a9926f05c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b1237afb0d01ff5c9c792ef396f8eea

SHA1
ddeada48e8e689cd9beb27d19d1f337799d29857

SHA256
56a564d2f991e9b66db5869036b37227644a53b86f552457656b8eda936c26c9

SHA512
ba988ffe468c59341bf00ab1e265003910946e6350084a0ee9bf3b0447aa5bcee759fe4b55f3ccd52dcaf4e1b47d1873001fe83dc14ce3769338e4b5afc40cdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f001288b1924b320404679767300721

SHA1
0e11bb42b8df56c22d2c4467bc6eb08a8dee62be

SHA256
84b5fbb26b0908f73befa618ab612d489d364a3c7d7b81a934e23c08108bcc1b

SHA512
9a200e933567e21cbeb0a1fc16cfd12dd61f36a73e89b8702c82e6d88251f238b825bde51df31e6a20ef3353902851a1015d1e87b88a22e010cc07256e5cbd5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f1de4a1161840267d5d331de89025e2

SHA1
32a85f90bd427a21f9253f2053dc8496cf6526e2

SHA256
aaf38e60b69534e044add4e5ae0ace21ed976c9a2df6d20bf686cd681729311b

SHA512
8b18fbb58c7913d1682cd8dc426a79dc708b9ba0c02a2d0d53a600a297c891dfc04c548f6f6ec3e4baa90d06a55b08399133bb0d819aa0178ff8816bae0b8bdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c512f8a58d97f1c395cf99aa9967cc4

SHA1
6d4cbbf78253848e6d1b8e7aa876db1c3b001c27

SHA256
64462c06c4349fe2399d8d281eff781d4fcd03d5da30beb5673e9a8a2c35a431

SHA512
3bb50f7566bd9ddff17fced83d5ea10bb6fdd2a2d7f0fb6477428c1bbda73113eb0b818574cf223a41c994338f77157efd77b0737cc4bfbdd5857e5f54a28aa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
378aac729f4d400e7c9f98d2df7687bb

SHA1
a1fc76cc384c1da7e7789a97fe322e7ed0e6a6c0

SHA256
7e365f45e55eccf4d5970fdd128ea9f78116afb7cc6701ea09cf65826abb664e

SHA512
00324809db280a349db7875e2a5dc0a728e094382c60b86a6e8dbba72058c501b7c58603efcfb7e5d73def5f97d1c9d196403e6288ceb17d9a4311748bdc8429

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00fa697a6fa0cc3ef53fb91cb76dd21b

SHA1
b56e2019b6edac37f632e8d19ea5e42a793f8746

SHA256
2560b2e78c128877a56d7b48d433914c1462229355202439475b3e074c2d3500

SHA512
f5d7b388482c61b41e8567004548de1daf8f478305969d36f3f47e5a68cde97cef47fa222d9da6255936620d4ed8e1f3e85bbfad75f4f0dea6ff2a30523b2976

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
243a50374c20115be518feb1ec5c1296

SHA1
f3ef7689fa81be4f158567399eabb30c8188eabc

SHA256
31d66db01ea6fcc1688abc7d1e15a0ce5377c329b0e315669a2b3bd0d4587efa

SHA512
413b2f62a4a870915ab933f843d838b43b806b30f7acee699545f3d460248f2ba7bb6d8a9f87df539938fe1f009a209251f4097814e4ca75974a09c747bed083

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99892bfe6cfec7d7a9ea487e4eb1da97

SHA1
f04db7c1c4c290803f71002f84f9627f92c7b5d4

SHA256
1c06992ed7c93a7879199b282f1fe0997387fc60a07b9a9566f7034582ada69a

SHA512
8a39df1d111dfcf1b9dd5a933097ffe6404073ac440cb98bddcbf36a97e9f900e905ea7c3b93be2260e6971cde91b7ebc3ef1253707eb333ed94ac83ddcbafc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49a577409d5252b53300002b18aebf60

SHA1
3af9ab05c4d1fc69719ecf7f26b98a6de0342770

SHA256
df9043baf09453aa3fa342aa801762ae02f0a16ffd2b48e362f10eaee024c079

SHA512
866e8156494d38e7a867103bd478c49da48cf8803c3d0a4559b6aff208dd5ca11a124f2b3a94fcaa757380b115d88e85490a705cb07861d69d08ce7abdc6841d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
491e94e25671cd9cb59d11f7678f87fa

SHA1
ee83fe72929e77ca506e3c67013e2519485a9306

SHA256
5ecbc760ac471baca607733d49a3fd47f24941aa6ef959fc2ecad0c4fa712c11

SHA512
463b032db4cdd7299fbf400d07361dfa78c95ab7a482b6cbc749f642107682524357b317d1b4db2226a8ac45c06e3daa415f8dce40315f81ccdad79250cf0eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a38b31685ef07b6f6f1887d3a1b77dd

SHA1
d965b977330aa3ab106ce242ef1524926b3aad5f

SHA256
dc5a3b9eaf8b026443abc4a36e5b5362e84c7aef69fdf734d97ea6885418e80b

SHA512
2b7d03ffef3d9e18c8fd4da471e5f827cbc9402c749accee24386b06379cd6de36c2d9639c456dfc721ac2d250e6e8deac8c65267ef6d951773ad4ba5eba499a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
61ed27863c4aa1eba95a9df29963eeeb

SHA1
bc5e2b89ffbfb1fbb212792eb818505ac8145f0d

SHA256
8839d62fb96ecc1b9a23f1945390747d52727672489f2ea6d029f12deef94bed

SHA512
a0ecb9b3c66bf2a2c6200bf56d053a04226cc186a569555991e6bdc2002847033a2efe17d468ad7c11a644893760d7eed9fcd0e7c769386a7e0b5c79fe02b9e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{09F5E831-F4D9-11EF-9DC4-5A85C185DB3E}.dat

Filesize
5KB

MD5
527a999dd1f7b25b09331f4d1d880349

SHA1
cd81e4bf2e5d107f88113faa9df62b263585b071

SHA256
bae6519474c50dd61a6267e5e65cbc4e3b868bdd322129bebfdf98af143647eb

SHA512
d7a9ec77d50d5137b2beb7308aecd9e4429832c606b28de34e45abbff8ae076d7903380cabf5d719de61e8222dfbaaa2c89cdebc7d04e01c7b90cba347bc5950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{09F84991-F4D9-11EF-9DC4-5A85C185DB3E}.dat

Filesize
3KB

MD5
cf45e3e37a1e531733a403b0d8a62c3d

SHA1
6f553a728bd9fad98e1d28d3264a27a6aeeda426

SHA256
a41d86ecae738888f2c08a15b0213e8fbd89b73cc261d0c48e679cb7af760dd1

SHA512
61263c888f085f8765761d46a713ccd8733a509845e87577e5bbccc861eb19c2a1d1657283d6a9ae8f70dc1afb90355a2f5ae4704cc33846fa2a210c4cd569a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB5B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEDD2.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe

Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
memory/1836-8-0x0000000000220000-0x000000000027D000-memory.dmp

Filesize
372KB

Download
memory/1836-9-0x0000000000220000-0x000000000027D000-memory.dmp

Filesize
372KB

Download
memory/1836-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-20829-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-11-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1944-16-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1944-17-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1944-4260-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1944-18-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1944-19-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1944-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download