Malware Analysis Report

2025-03-14 23:59

Sample ID 250227-hy12xa1kw4
Target 2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit
SHA256 104b4ec8a7c39ba5f87be908d86a5e4f34fce70e5ae4992f8435837c2d8fb448
Tags
dharma ramnit banker credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

104b4ec8a7c39ba5f87be908d86a5e4f34fce70e5ae4992f8435837c2d8fb448

Threat Level: Known bad

The file 2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit was found to be: Known bad.

Malicious Activity Summary

dharma ramnit banker credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx worm

Ramnit family

Dharma family

Ramnit

Dharma

Deletes shadow copies

Renames multiple (311) files with added filename extension

Renames multiple (653) files with added filename extension

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-27 07:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-27 07:09

Reported

2025-02-27 07:12

Platform

win7-20240903-en

Max time kernel

149s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe"

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (311) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe = "C:\\Windows\\System32\\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe" C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75GKCLJR\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GUJ7UW2N\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GKATPXW1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GY8QW6M2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GFIGH6G\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\XLCALL32.DLL.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00671_.WMF.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293240.WMF.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\BOLDSTRI.ELM C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\DELIMR.FAE.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00512_.WMF.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Santiago.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Macau.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00235_.WMF.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01569_.WMF.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AWARDHM.POC C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jre7\lib\jfr.jar.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_COL.HXC.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216612.WMF.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\en-US\Sidebar.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL092.XML C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00625_.WMF.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\header.gif.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105410.WMF.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Internet Explorer\networkinspection.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14832_.GIF C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACTS.ICO C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\STOCKS.XML C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00105_.WMF.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Issues.accdt C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\SalesReport.xltx.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Caracas.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORM98.POC.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\TWCUTCHR.DLL.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll.id-414C1C3A.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446802039" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C9E64A41-F4D9-11EF-BB15-5A85C185DB3E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C9EBD051-F4D9-11EF-BB15-5A85C185DB3E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 2156 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 2156 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 2156 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 2156 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2820 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2820 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2820 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2820 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2820 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2820 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2588 wrote to memory of 792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2588 wrote to memory of 792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2588 wrote to memory of 792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2588 wrote to memory of 792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2156 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3444 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3444 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2156 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2156 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2156 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2156 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 3444 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3444 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3444 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2156 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2156 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2156 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 2156 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2156-1-0x0000000000400000-0x0000000000434000-memory.dmp

\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

MD5 d5ca6e1f080abc64bbb11e098acbeabb
SHA1 1849634bf5a65e1baddddd4452c99dfa003e2647
SHA256 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae
SHA512 aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

memory/2156-9-0x0000000000220000-0x000000000027D000-memory.dmp

memory/2156-8-0x0000000000220000-0x000000000027D000-memory.dmp

memory/2756-15-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2756-14-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2756-18-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2756-17-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2756-19-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2756-16-0x0000000000400000-0x000000000045D000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-414C1C3A.[[email protected]].ONION

MD5 bdf65653f2669d69d681c2e5edc6b6a3
SHA1 0f6badcb7dd1ffb9f814b0179d9e380bd27b159d
SHA256 3708b0a4998c90591e485a67215a8f65cb10cfe8cd609e3456c7ccc423499bcf
SHA512 31722226cd1fb4027d0a1009dc6df7272e03746e7af3efaa159df609fcc8f9b8c54b53c0389c3e511512a9e11019497dd1611e53e7742ac74c8eac139bf5dc21

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C9E64A41-F4D9-11EF-BB15-5A85C185DB3E}.dat

MD5 cb86a88accfd62e1b7a33ee88bea6dac
SHA1 0134ba2a3f8c024211e8e4e3128c7f3c7671a2fd
SHA256 3230213a4d0d013be69644946eeaf869ffde4549ba30e8f272ad033dfeec9384
SHA512 1700302ab1af134b14245e0e680b95e948f535fe332cc80e10e35f3c89d240cbb4097de6c1f48b0360f1d588b5a4d0a322de0c1fa589f751f2f9af1a195eb8d8

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C9EBD051-F4D9-11EF-BB15-5A85C185DB3E}.dat

MD5 8ba2524c9e62c05a5247354d10fd8753
SHA1 449e8c2731e2510033a88ebabccb707ecee0d936
SHA256 3aff70120d9c0e14e2b17cb22a844815d4bdb5308c2e776b4093521af956eb79
SHA512 e18fc8a2008703f50b0ab134a6d77ca9470076b4ade312ef6749564c5ed24cabef70eda9320adf1b0235a3e37e4621b1ee9b32e99e5a1f62a132701793c8138f

memory/2156-2816-0x0000000000220000-0x000000000027D000-memory.dmp

memory/2756-4112-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab70C0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7173.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ac16829219b7649706f1c29fd2311b9
SHA1 33d2a61a58430fe74ab8970c20144d3ae042cf7e
SHA256 861f32e3b57cd24e9d8f5c1698648ee13a2271f85ff7069a168f365a61a8bcae
SHA512 2712379b45abc335550535bec3d58b003ee79ebbad6772e6a6ca9c1632f0713003ccd4018583dd6219fd5a761d99bd59692ab1be68b938a30e75d96c00786331

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53ffca437d78af91ec623d36403a354b
SHA1 ba3794cd923a35723fa5e4aa4de1e6cca60b8d02
SHA256 cb789a9c0bfba61f5c0cf5ccd5a87ca7ab19d8d1fcc73b7d30608c3d6b07eb4f
SHA512 1eb8c0ba8621a4b37b572bedd379e0f856b82866bb59e03f5230e1315a7c3f84358242528854a9aac0064e43c2cd1920629c240568d9c4718f97ff4e9b554bb1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1329a2eb07880da35497658f3c577e3
SHA1 b0b4939a03203d75ac4e69a3dbebd31c5e35d9ce
SHA256 a2db952bcb958fadf0205dfce2c6dd5ced7f02ed8e496fe637f0325ebf7b3cc5
SHA512 bff09814d891a988cb610adbb7d26fb400bb365fd059cea451199b56226da1e62a8294bbfdd1ecae552e29dad98cc9093f80b2ea57625a9fda0bbecce84dd370

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73e27e6486811d90aef20d6dc2454759
SHA1 406f6f74322526ad0c1161ef67c2c11178380fa0
SHA256 8657cf31d20f4b2dfc2b1dc3efb27d536da8790737db705143cd1bb56762d787
SHA512 6224b0eadecc28b69d3f4ac206055cd8603f1d73155210c531658025cb953e49f2686e5bb68fe98e5695f20d78b411824fea11eee5e6b037d88e649e25607f05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43a4f243920b0bc0def2a3cdaba9e671
SHA1 adad5630dcc866a4df17fd3d260fc48c2ad03672
SHA256 bee2d06a482debbec29fa3270777d8054d29c1c3fd1fef9fbe9027778b1d34ff
SHA512 c5b95dd1e8f51a6f93b45139c5de218411f40dbb8394030124585354f151ce5e7b74bd268e2e139158dc85396c3f6816b8128cca32f1afc94bf57e6f3d7b4fe6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 815c5f73448bacaa13a0afa480b15fd3
SHA1 128253d68341d1ea4ab6d2c4e459261f96e685bc
SHA256 c6f5f644ae0545bf404a09254474e35366082fce5040277567e17ac6800f52f0
SHA512 0d24c779ac73143abbb46e243ea96a95eceed65470feda664ebceaa5de180dae17ccc39c5a50e0da7e2d90b1a8fc21fe0f6c9266681d38913fd7b554d077c356

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 103c0137fa3b65a9499c08d0c2960e3c
SHA1 8d789a159163ab9517d065ab4b88eda9ab6d094b
SHA256 3a97d8de021e55e6c4b948dcd9de6d193d0f7f71e85966c301ebfedbff9e37a3
SHA512 a9dbe71a64443f84b9f957a8824d65398da3d975eb5699b68952dc9fefad82389df8a0ed04937701b032b5642a24aa833e4856dcb096b7f6f6f397b02a3b0a0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a3d7f33c76535dd0c44e304624d66cc
SHA1 745ad4086cbb054a711e866ace11e0bae2bda5d0
SHA256 32b1b4c0f850f1dd4565317e73de9c83455a2a54d4453f5c9dd4ea0d1e50d514
SHA512 29d93873cf9b5337de1319b09bc0e6ec81309a8838b21bdaa979e0d3ea2e70b3e59859788cff832c0d0da0cebbb7ba5eb1b00b53e7ec017759ff0b32b41269a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 1ec1d083b64c0fe6c7d0493be9883633
SHA1 0295bae8e727fb0d48361d6f5da8c6aedbce7d8e
SHA256 de0cc52becb052c45651edb7fb108465c078d846078407b98ad61293f7cbe70b
SHA512 56036579ece85ecaa04e4635f3cd0436095704f2440d31b7921ac84b8ba70f3ee74d5ba2d32ac845aed63e805863510e1679c53b1390f731114d43c85725d321

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0390dbdd94b91df49605153d2b45ce35
SHA1 b05fcc332507174666530c7fc4d47fe38cfd0731
SHA256 e8cb648f1714bb0a8847119f6e8c1370cba6f24560ca32d5207a0ccd5859d2c6
SHA512 4492394eb062e915fa3d392fbb598c8b96ae405f5b5d87d047aaf50c2e265d2a336a7e40f4c250f8e33decd34ea83b801e09349a1c9a588be78172ea4eff0296

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

MD5 49372054638453531ca2da6e6b81e128
SHA1 b225f868dc4fdf5301dff143896144e55fc155e9
SHA256 56d56841bf6333ac6464e0f64b1f172df59874506293be327a20fa9b2102cb0a
SHA512 4a6240baf49be84008ece434304617012f1174d489d495cba0bb70a39a78a93910de0f9a28ff8bb00a4fa4227429d6d0c47395ac77153e6164c6e42ca602d909

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8bbdee16de9a647d0ba7b2bb5872916
SHA1 a139b4a0d207e349c1b4fb3cc4ddf222879b742c
SHA256 142fdcb2473bcf5fa0d4d25359bd913adde31ee096c8a62909a529a65f1cd020
SHA512 72233e69fec8c5421bfc04269d4cd4f5d0834129a8caf25a2c13bc4671287ae7956fa91115c6c3b5a081fdcf18c6e621105cd0cbbe4529277bc1c5e4b2616534

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 c8a625fef59246d5b38b17a5926aa598
SHA1 15e1299ca411e6bd2a39205a1aa0bcc3d682f65a
SHA256 2333347e4d0f14855c92c9d32749da82f6feddb533d7d989a6c0671b3c85b19f
SHA512 5a570395bb3bfbe47291c7a960e9ffcf7e6faa049456a5604d1abe60fe00aeecc50b8f28c827a57129f66d74a5de148433e681a7127ef1c1174297a0cdbdd552

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 025865edb8957e2bf87cc41f52fae715
SHA1 7f7f6e4d63559cbf8845b6b73a1cd0b63b6ed2f0
SHA256 8c809017dfbb59bba35601d42859086a9def9387f776bf502ab4f087f00127ad
SHA512 de22e17bd83898313234b3ad14c83ca62485a485bf07e0d6170df8b3abc0cec97512a012aa9e213edf5a0b27082e392e2be48dfc2e9ab74f051e823436074057

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 811c636d74989e50d3a2e23221497986
SHA1 f1896738730f688ba8d0cf402f1bff1af52a25ee
SHA256 a5d17afc96dada56ace3cd898ce060271583871eb7935bdfc6e1b5e6c06ce578
SHA512 9b3cc36dbe3d11458e3be5d18920064d1fc113699138df786fc5a767558c658f61c57ec6292811f97071d2c3aa1f6d7e92398b54e2c9c3ea7c5975ec207f6416

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 623d19d05202766630d9b4b25228d7da
SHA1 baabc35ebecbf7282fb4540e82cfdcbb71232d44
SHA256 da58fafa668298a1e03c8429d587ee409ebf489e41a1a6d1c6e9656bd775781c
SHA512 87584674b17e771bd00c7cf1b5df3d984779a53099636e9920dc28f2741e2ab36ce2e6ed7976dd8f979438bf35db1220e2e6b7e0db1980872071719c9d7aff89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eedaf3d23b3957d2bf5ce93bff0e72a8
SHA1 6c47107e84866935d4d0778f7bdf659e86be915a
SHA256 f203c793e4da4e30c7b8ff284d81c51944f5b6da1105719782b953b3e639be25
SHA512 76fbb7c82fd5e4354848574e761f9e2e79980666a46a94d8a0b36a25e9e09af7d841b97ecd8e7fba8a170b31010acded8201440aded7f785b577b82e0836a9ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f490e4142edd8bda53489fbaef2ed90
SHA1 4ce55473666cd18f92922d0ba4e764a19c37aa71
SHA256 a71af4464911c83ee40bd03049ec7d1eac80c55039174b0c3819db6c1dce677e
SHA512 edc5d0c14cad697d040572f1b8d82980ad3aa3522d1e9a31fd53bcc2859837af96e702103927239eae2e4d3697326a1e0407cef91a21a2f170dfdf6dfbe10d1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 32cbe716ed583be1de3f268447cbf75a
SHA1 e8d0ad8c4e477685d42e30a96aac85d7d87732aa
SHA256 5e33244fcfef69b941f1ffd6b156040786032593c9497a6d26b614037f0cc8f2
SHA512 c0a1e67d45bc108b1b0af55b7bd10aec96689bbdb0c9a86a2d6eb14a6364df0fa2f3a295589b97b573d86f78a9a551f6f746c74633806085785feef3da85c35d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c62980d78b81ec78e929725224d14201
SHA1 0543641aa48aaeb07d4c65a51b8b10bbb83e578a
SHA256 fa746b1d1e336b26cb605f1fb088e19a99bd78dcfc4dcb4f434015ee4e986b64
SHA512 9d89f9d0dcacabcf2b45e9d67371304ee01bc0a4875481e2d0124dc0988c0d223facf0eeec00e7c1e7bd70d530e0fc121bbba981bdb20b49896375b320ff303b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48faf53722f3549a05a4fb8dea7385f9
SHA1 66d3a9ef314026a0b714404995712008010a49ed
SHA256 d736760b824dc2323bac94dcf7c6b7367341431a541e763d24de1b1e3d171dd5
SHA512 c4910cb95c6d6565dbefe6db8740d6e28ad3de46109c66be0459d3aea32091abaa0b93fc26a84a2c8c00b674d56399fdcba7174b5b64bb77ef12f3204d3cf25c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9930d17c8ce9231c1680d1e7a9e5fd4
SHA1 b6c6b86408f3d91e8b08ab662db64d139c96871b
SHA256 53e1fcd152c10b8fe03c6d0f17b119068afb80d0c9dd6302348d9a6ae9f41071
SHA512 63e264b0c9c7e8be7f2fdee6c9f632b6ffe8fc95dafbfd44997187f1aac74fe4a38d17dc7820d2a458a216b15a48f77618916a0ee334e59d1334d8fe90dccf23

memory/2156-21259-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-27 07:09

Reported

2025-02-27 07:12

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe"

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (653) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe = "C:\\Windows\\System32\\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe" C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1874072718-2205492803-118941907-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\cy.pak.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\SMSConnect2x.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\BuildInfo.xml C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_closereview_18.svg.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Internal.msix.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdaer.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\CortanaCommands.xml C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_hover_2x.png.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\librist_plugin.dll.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\SONORA.ELM.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_mr.dll.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\ui-strings.js.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\ui-strings.js.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Paint_PDP.xml C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\EEINTL.DLL.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-20_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentDesktop_144x56.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\PREVIEW.GIF.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign-2x.png.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.id-984FB2BA.[[email protected]].ONION C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 3092 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 3092 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe
PID 3092 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 3092 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1712 wrote to memory of 460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1712 wrote to memory of 5708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1712 wrote to memory of 5708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3092 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 3092 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\system32\cmd.exe
PID 3168 wrote to memory of 5140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3168 wrote to memory of 5140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3168 wrote to memory of 5844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3168 wrote to memory of 5844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3092 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 3092 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 3092 wrote to memory of 6736 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe
PID 3092 wrote to memory of 6736 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe C:\Windows\System32\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4008 -ip 4008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 264

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

Network

Files

memory/3092-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnitmgr.exe

MD5 d5ca6e1f080abc64bbb11e098acbeabb
SHA1 1849634bf5a65e1baddddd4452c99dfa003e2647
SHA256 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae
SHA512 aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

memory/4008-5-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4008-6-0x00000000005D0000-0x00000000005D1000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-984FB2BA.[[email protected]].ONION

MD5 a965a06c40c5e450e13747d2e9e1b80d
SHA1 66b6f4d82b1f6e150b259f6896fdea136c8285cb
SHA256 f44587251cff21485fc77b9f2b2aa167d289d699dedb96d242ab71423a5105cc
SHA512 0ecaa4a283116b6c15cec53571c3ef658fac46b85bdfa21ef1826c7ce8c7d0175ab97ba555348fdf38bcd8ddf40e37bc76240bd24a8d444a87668bf035312b64

memory/4008-4831-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

MD5 3bfafca40dbfb90696dc92014eebb20c
SHA1 8b95921d1b0128942ba8e2dbd81b13aa4905d7b2
SHA256 02f73fee892229515c8bbcfd2b18afe382dd0fc80cbfb6a931ac04aee287cc28
SHA512 40a1436ef2a9c6cb631fc905bbb288c4f599fac23c69f8c4cc4f5a6afe477a996d4ea19ec693b4729cfed2a843735fb617722257292c9e8b540b335b4d61beda

memory/3092-25438-0x0000000000400000-0x0000000000434000-memory.dmp