Malware Analysis Report

2025-03-14 23:59

Sample ID 250227-hvy35s1jw7
Target 2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit
SHA256 590d3c67a0d4bdcfdabdc579ba3ef3e035144c7b422af7d083d30f6f53ce7cc4
Tags
dharma ramnit banker credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

590d3c67a0d4bdcfdabdc579ba3ef3e035144c7b422af7d083d30f6f53ce7cc4

Threat Level: Known bad

The file 2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit was found to be: Known bad.

Malicious Activity Summary

dharma ramnit banker credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx worm

Dharma

Dharma family

Ramnit

Ramnit family

Renames multiple (310) files with added filename extension

Renames multiple (655) files with added filename extension

Deletes shadow copies

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-27 07:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-27 07:04

Reported

2025-02-27 07:06

Platform

win7-20240903-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe"

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (310) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe = "C:\\Windows\\System32\\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe" C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MT4W94IX\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T1DP8V76\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QMPQWRBT\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGWF8QWZ\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BY17T927\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AQYH36ZT\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_OFF.GIF.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00194_.WMF.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01040_.WMF.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ModifiedTelespace.ico.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086426.WMF C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0278702.WMF.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_fi.dll.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IO.Log.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00487_.WMF.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime.css.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN010.XML.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238927.WMF C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099205.WMF.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_on.gif C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7 C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_uk.dll.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00712_.WMF.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RMNSQUE.ELM.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow.css.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD.DPV.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montreal C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00638_.WMF C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP.id-DC47B53E.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09F5E831-F4D9-11EF-9DC4-5A85C185DB3E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09F84991-F4D9-11EF-9DC4-5A85C185DB3E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446801730" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
PID 1836 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
PID 1836 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
PID 1836 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
PID 1836 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 1836 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 1836 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 1836 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1944 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1944 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1944 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1944 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1944 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1944 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1944 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2660 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2660 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2660 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2188 wrote to memory of 2840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2188 wrote to memory of 2840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2188 wrote to memory of 2840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2188 wrote to memory of 2840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2660 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2660 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2660 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2348 wrote to memory of 2640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 2640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 2640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 2640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1836 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 1836 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 1836 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 1836 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4144 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4144 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1836 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 1836 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 1836 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 1836 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 4144 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4144 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4144 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1836 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 1836 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 1836 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 1836 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\System32\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:275457 /prefetch:2

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1836-0-0x0000000000400000-0x0000000000434000-memory.dmp

\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe

MD5 d5ca6e1f080abc64bbb11e098acbeabb
SHA1 1849634bf5a65e1baddddd4452c99dfa003e2647
SHA256 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae
SHA512 aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

memory/1944-11-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1836-9-0x0000000000220000-0x000000000027D000-memory.dmp

memory/1836-8-0x0000000000220000-0x000000000027D000-memory.dmp

memory/1944-16-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1944-18-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1944-17-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1944-15-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1944-19-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{09F84991-F4D9-11EF-9DC4-5A85C185DB3E}.dat

MD5 cf45e3e37a1e531733a403b0d8a62c3d
SHA1 6f553a728bd9fad98e1d28d3264a27a6aeeda426
SHA256 a41d86ecae738888f2c08a15b0213e8fbd89b73cc261d0c48e679cb7af760dd1
SHA512 61263c888f085f8765761d46a713ccd8733a509845e87577e5bbccc861eb19c2a1d1657283d6a9ae8f70dc1afb90355a2f5ae4704cc33846fa2a210c4cd569a1

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{09F5E831-F4D9-11EF-9DC4-5A85C185DB3E}.dat

MD5 527a999dd1f7b25b09331f4d1d880349
SHA1 cd81e4bf2e5d107f88113faa9df62b263585b071
SHA256 bae6519474c50dd61a6267e5e65cbc4e3b868bdd322129bebfdf98af143647eb
SHA512 d7a9ec77d50d5137b2beb7308aecd9e4429832c606b28de34e45abbff8ae076d7903380cabf5d719de61e8222dfbaaa2c89cdebc7d04e01c7b90cba347bc5950

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id-DC47B53E.[[email protected]].IPM

MD5 041b16e994440cb0d5105d441f24a482
SHA1 9607fe46e41cde0dbb1ed3f60335d9d41c3220c3
SHA256 c1d5593aa8c51eae82e0c4223305226f7df7c12dc3019b0aefa60f1e0829a46a
SHA512 b0dde25edfc35664a65d63954a5617f8b4ef29d988196a7bb7bf335569f27a6d914a995f4d54d3b921948d42b854cd19425cc22daf1c73976373650a8f68a642

memory/1944-4260-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabEB5B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarEDD2.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1ae73f4e6ad23ac196ac3804c71e5bd
SHA1 c2e76e37ed2c353fb79255c0b66a9a939a7e74f1
SHA256 efc864af78ca124dfa6675b2b40b88cd00968cba0d7a82faee65f517ad8c58d5
SHA512 a3e82df830ffb0a5a6e3db644cee0012fc9566b156c5a67a7d957cb63b2c8e3cf8b45ba07fdb318ff92f5daf61749eda81d5b3255449941460490c291d614ca9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a0452574fc5add013a99858fe89e514
SHA1 f51ab9aa2b343968f7a14df806f3c9e54b02cc23
SHA256 0df342ed6fcf3cfab369fdb2fa816aef6399e118faea7d67dca241658211b459
SHA512 2a2288ebdcc8cd064cd5e49a4e3915dbac0bc91b50edaaf12f3a5c4d90087c701bdf2f675540ce6029972be267e4f75953d3cae78d8bd7a1060ca3e50907e8eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afd0c41746130083b1c27d07f0568a9f
SHA1 59496e07bd01f65a2abe8c3c0fff1d388786be8b
SHA256 4eac5dead206119f55efe41aa8d1ac70e07631a53497692243714cc27ebcd636
SHA512 94fd62fbad6391dc6656ab3607168a5781479f95b71f6dbf6d6bc417fe69544ab851f5eee978300724b96b3367ba1e59974f5b25fd3b93109ef687a34bfeb501

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f3f7a5dee0eacbfe091c994e9d5105c
SHA1 72a35b619fc549603a924441763b1e4236e18254
SHA256 5f54f9aebb48dcd9641f20529e41f96bb510f8e8b7803a52c354045ffc3d3235
SHA512 9cd29a4d1a11eeb387f9d7356b4175b2ecce73d8e3144541fdea28d3653d7db45d9b9815b5ff3f4ff83274600f4b61411075bb9863c3cbdeb6a54fae400806c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 998efb4923a7cd226aae706c8ce1ae06
SHA1 dceae1cde92e32b4195971e117ccc55810773b21
SHA256 8a6f1187e1dc72f3ac458400e73abca1910231596c7e8bc4db7ada137a5d3d85
SHA512 490847ad761be5954f80c6efcdbd667f127781e3a82d1eaa1c375812e98f8c57998d222a16681df3fbcd60145dc0184efb328b0c424c9700747f75a9926f05c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b1237afb0d01ff5c9c792ef396f8eea
SHA1 ddeada48e8e689cd9beb27d19d1f337799d29857
SHA256 56a564d2f991e9b66db5869036b37227644a53b86f552457656b8eda936c26c9
SHA512 ba988ffe468c59341bf00ab1e265003910946e6350084a0ee9bf3b0447aa5bcee759fe4b55f3ccd52dcaf4e1b47d1873001fe83dc14ce3769338e4b5afc40cdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f001288b1924b320404679767300721
SHA1 0e11bb42b8df56c22d2c4467bc6eb08a8dee62be
SHA256 84b5fbb26b0908f73befa618ab612d489d364a3c7d7b81a934e23c08108bcc1b
SHA512 9a200e933567e21cbeb0a1fc16cfd12dd61f36a73e89b8702c82e6d88251f238b825bde51df31e6a20ef3353902851a1015d1e87b88a22e010cc07256e5cbd5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f1de4a1161840267d5d331de89025e2
SHA1 32a85f90bd427a21f9253f2053dc8496cf6526e2
SHA256 aaf38e60b69534e044add4e5ae0ace21ed976c9a2df6d20bf686cd681729311b
SHA512 8b18fbb58c7913d1682cd8dc426a79dc708b9ba0c02a2d0d53a600a297c891dfc04c548f6f6ec3e4baa90d06a55b08399133bb0d819aa0178ff8816bae0b8bdf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c512f8a58d97f1c395cf99aa9967cc4
SHA1 6d4cbbf78253848e6d1b8e7aa876db1c3b001c27
SHA256 64462c06c4349fe2399d8d281eff781d4fcd03d5da30beb5673e9a8a2c35a431
SHA512 3bb50f7566bd9ddff17fced83d5ea10bb6fdd2a2d7f0fb6477428c1bbda73113eb0b818574cf223a41c994338f77157efd77b0737cc4bfbdd5857e5f54a28aa9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 378aac729f4d400e7c9f98d2df7687bb
SHA1 a1fc76cc384c1da7e7789a97fe322e7ed0e6a6c0
SHA256 7e365f45e55eccf4d5970fdd128ea9f78116afb7cc6701ea09cf65826abb664e
SHA512 00324809db280a349db7875e2a5dc0a728e094382c60b86a6e8dbba72058c501b7c58603efcfb7e5d73def5f97d1c9d196403e6288ceb17d9a4311748bdc8429

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

MD5 6992df89164a48b9850dbcfd6c20a5d4
SHA1 10e8704bd45f64c9cfee84b1ee9ff108195d0cfd
SHA256 4243cf7b617b710e8cf7ca7e075722c3a0d7f5545a5748317f968d02f4b3eaef
SHA512 6a7eab8c1c72dfd0a459649fabebaf9a4910ab77c06adb09c2d9cf5c636a2d0d6c37ba222356e9943a2b75cc6dce57cd5128d168267413a3c71ee161cd26cfcf

memory/1836-20829-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00fa697a6fa0cc3ef53fb91cb76dd21b
SHA1 b56e2019b6edac37f632e8d19ea5e42a793f8746
SHA256 2560b2e78c128877a56d7b48d433914c1462229355202439475b3e074c2d3500
SHA512 f5d7b388482c61b41e8567004548de1daf8f478305969d36f3f47e5a68cde97cef47fa222d9da6255936620d4ed8e1f3e85bbfad75f4f0dea6ff2a30523b2976

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 61ed27863c4aa1eba95a9df29963eeeb
SHA1 bc5e2b89ffbfb1fbb212792eb818505ac8145f0d
SHA256 8839d62fb96ecc1b9a23f1945390747d52727672489f2ea6d029f12deef94bed
SHA512 a0ecb9b3c66bf2a2c6200bf56d053a04226cc186a569555991e6bdc2002847033a2efe17d468ad7c11a644893760d7eed9fcd0e7c769386a7e0b5c79fe02b9e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 243a50374c20115be518feb1ec5c1296
SHA1 f3ef7689fa81be4f158567399eabb30c8188eabc
SHA256 31d66db01ea6fcc1688abc7d1e15a0ce5377c329b0e315669a2b3bd0d4587efa
SHA512 413b2f62a4a870915ab933f843d838b43b806b30f7acee699545f3d460248f2ba7bb6d8a9f87df539938fe1f009a209251f4097814e4ca75974a09c747bed083

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99892bfe6cfec7d7a9ea487e4eb1da97
SHA1 f04db7c1c4c290803f71002f84f9627f92c7b5d4
SHA256 1c06992ed7c93a7879199b282f1fe0997387fc60a07b9a9566f7034582ada69a
SHA512 8a39df1d111dfcf1b9dd5a933097ffe6404073ac440cb98bddcbf36a97e9f900e905ea7c3b93be2260e6971cde91b7ebc3ef1253707eb333ed94ac83ddcbafc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49a577409d5252b53300002b18aebf60
SHA1 3af9ab05c4d1fc69719ecf7f26b98a6de0342770
SHA256 df9043baf09453aa3fa342aa801762ae02f0a16ffd2b48e362f10eaee024c079
SHA512 866e8156494d38e7a867103bd478c49da48cf8803c3d0a4559b6aff208dd5ca11a124f2b3a94fcaa757380b115d88e85490a705cb07861d69d08ce7abdc6841d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 491e94e25671cd9cb59d11f7678f87fa
SHA1 ee83fe72929e77ca506e3c67013e2519485a9306
SHA256 5ecbc760ac471baca607733d49a3fd47f24941aa6ef959fc2ecad0c4fa712c11
SHA512 463b032db4cdd7299fbf400d07361dfa78c95ab7a482b6cbc749f642107682524357b317d1b4db2226a8ac45c06e3daa415f8dce40315f81ccdad79250cf0eaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a38b31685ef07b6f6f1887d3a1b77dd
SHA1 d965b977330aa3ab106ce242ef1524926b3aad5f
SHA256 dc5a3b9eaf8b026443abc4a36e5b5362e84c7aef69fdf734d97ea6885418e80b
SHA512 2b7d03ffef3d9e18c8fd4da471e5f827cbc9402c749accee24386b06379cd6de36c2d9639c456dfc721ac2d250e6e8deac8c65267ef6d951773ad4ba5eba499a

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-27 07:04

Reported

2025-02-27 07:06

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe"

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (655) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe = "C:\\Windows\\System32\\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe" C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1874072718-2205492803-118941907-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdateres_kok.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bg.pak.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyResume.dotx.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_contrast-black_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fr_get.svg.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_hover_2x.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG3.TTF C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-300.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlFrontIndicatorHover.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jfr.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dll.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-multibyte-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-250.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\bn-IN.pak.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\ThirdPartyNotices\ThirdPartyNotices.html C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\ui-strings.js.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\mt.pak.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_field_grabber.png.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBROAMINGPROXY.DLL.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_sk.dll.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\8.jpg C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\informix.xsl.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-72.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.id-852A5109.[[email protected]].IPM C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
PID 2592 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
PID 2592 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2552 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2552 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2552 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2592 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 232 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 232 wrote to memory of 7292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 232 wrote to memory of 7292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2592 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2592 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2592 wrote to memory of 8028 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2592 wrote to memory of 8028 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe C:\Windows\System32\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2488 -ip 2488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 268

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

Network

Files

memory/2592-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe

MD5 d5ca6e1f080abc64bbb11e098acbeabb
SHA1 1849634bf5a65e1baddddd4452c99dfa003e2647
SHA256 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae
SHA512 aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

memory/2488-5-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2488-6-0x00000000004D0000-0x00000000004D1000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-852A5109.[[email protected]].IPM

MD5 35af4eded5261a19e9e40a440a61aee5
SHA1 1b2249000c7a68da794328a4011f71d420addfee
SHA256 a7d03497919f4919d7c323fb4d1b5bb4ddfcce223389682764476b03c6e5c1c8
SHA512 e3f3c3fc095808c1b7e2817a838e024bd36bec69bc1e4fd5dab6aa23352594e84cd4587616eb5085b78845c810a8aa34e6f1e9b9e9388e824ed41a4213953a71

memory/2488-5095-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

MD5 8bc0dc7ee81fee8fc86af828d4244416
SHA1 c7c6fc0760c3ebbaa06b6e88abacdfdc597be18d
SHA256 4b6cc0756db2397d6fe1c297f3fd4dfaa5a2bf97e028b2f8040345a3b91e1a67
SHA512 3b5263e4809b9e83fd176f733220cf7c77a3e72308f98196829f20d06ff39766ea094111a00413f8450b906076e615328e01f5953b7cebfa314b5a7d598bc354

memory/2592-25416-0x0000000000400000-0x0000000000434000-memory.dmp