File name:

Dharma.exe

Full analysis: https://app.any.run/tasks/a1795779-1c2b-4a67-9d45-64108ddb0b94
Verdict: Malicious activity
Threats:

Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.

Malware Trends Tracker     >>>
Analysis date: May 24, 2025, 15:26:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
dharma
everything
tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

928E37519022745490D1AF1CE6F336F7

SHA1:

B7840242393013F2C4C136AC7407E332BE075702

SHA256:

6FB303DD8BA36381948127D44BD8541E4A1AB8AF07B46526ACE08458F2498850

SSDEEP:

196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • SearchHost.exe (PID: 7384)
      • SearchHost.exe (PID: 5304)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 736)
      • cmd.exe (PID: 7808)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 7252)
      • net.exe (PID: 2840)
      • cmd.exe (PID: 7808)

    • Starts NET.EXE to view/change login properties

      • cmd.exe (PID: 7808)
      • net.exe (PID: 8024)

    • Dharma/Crysis is detected

      • Dharma.exe (PID: 4108)

    • Starts NET.EXE for service management

      • net.exe (PID: 8084)
      • cmd.exe (PID: 7808)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Dharma.exe (PID: 4108)
      • SearchHost.exe (PID: 7384)
      • SearchHost.exe (PID: 5304)

    • Drops a system driver (possible attempt to evade defenses)

      • mssql.exe (PID: 680)

    • Executable content was dropped or overwritten

      • Dharma.exe (PID: 4108)
      • mssql.exe (PID: 680)

    • Starts CMD.EXE for commands execution

      • nc123.exe (PID: 3008)
      • Dharma.exe (PID: 4108)
      • cmd.exe (PID: 7808)

    • There is functionality for taking screenshot (YARA)

      • Dharma.exe (PID: 4108)

    • Executing commands from a ".bat" file

      • Dharma.exe (PID: 4108)

    • Creates or modifies Windows services

      • mssql.exe (PID: 680)

    • Uses WMIC.EXE to obtain group account data

      • cmd.exe (PID: 6740)
      • cmd.exe (PID: 7012)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7808)

    • The process creates files with name similar to system file names

      • Dharma.exe (PID: 4108)

    • Sets the service to start on system boot

      • sc.exe (PID: 7296)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 7808)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7808)

    • Application launched itself

      • cmd.exe (PID: 7808)
      • SearchHost.exe (PID: 7384)

  • INFO

    • Checks supported languages

      • Dharma.exe (PID: 4108)
      • mssql.exe (PID: 680)
      • nc123.exe (PID: 3008)
      • SearchHost.exe (PID: 7384)
      • mssql2.exe (PID: 7872)
      • SearchHost.exe (PID: 5304)

    • Reads the computer name

      • Dharma.exe (PID: 4108)
      • mssql.exe (PID: 680)
      • nc123.exe (PID: 3008)
      • mssql2.exe (PID: 7872)
      • SearchHost.exe (PID: 7384)
      • SearchHost.exe (PID: 5304)

    • The sample compiled with english language support

      • Dharma.exe (PID: 4108)
      • mssql.exe (PID: 680)

    • Process checks computer location settings

      • Dharma.exe (PID: 4108)
      • SearchHost.exe (PID: 7384)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4424)
      • WMIC.exe (PID: 7704)

    • EVERYTHING mutex has been found

      • SearchHost.exe (PID: 5304)

    • Reads the software policy settings

      • slui.exe (PID: 6476)

    • Manual execution by a user

      • WINWORD.EXE (PID: 5812)
      • WINWORD.EXE (PID: 7276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:06:25 10:38:29+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 155648
InitializedDataSize: 112640
UninitializedDataSize: -
EntryPoint: 0x13c60
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
175
Monitored processes
44
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #DHARMA dharma.exe sppextcomobj.exe no specs nc123.exe no specs conhost.exe no specs slui.exe mssql.exe no specs cmd.exe no specs mssql.exe mssql2.exe no specs mssql2.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs searchhost.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs attrib.exe no specs netsh.exe no specs sc.exe no specs net.exe no specs net1.exe no specs searchhost.exe rundll32.exe no specs slui.exe no specs winword.exe ai.exe no specs winword.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Users\admin\Downloads\ac\mssql.exe" C:\Users\admin\Downloads\ac\mssql.exe
Dharma.exe
User:
admin
Company:
一普明为(北京)信息技术有限公司
Integrity Level:
HIGH
Description:
Epoolsoft Windows Information View Tools
Version:
1.0.0.5
Modules
Images
c:\users\admin\downloads\ac\mssql.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
736net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"C:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
812C:\WINDOWS\system32\net1 start TelnetC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1040reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2384\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2432"C:\Users\admin\Downloads\ac\mssql2.exe" C:\Users\admin\Downloads\ac\mssql2.exeDharma.exe
User:
admin
Company:
一普明为(北京)信息技术有限公司
Integrity Level:
MEDIUM
Description:
Epoolsoft Windows Information View Tools
Exit code:
3221226540
Version:
1.0.0.5
Modules
Images
c:\users\admin\downloads\ac\mssql2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2664C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2840net localgroup "Remote Desktop Users" systembackup /addC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3008"C:\Users\admin\Downloads\ac\nc123.exe" C:\Users\admin\Downloads\ac\nc123.exeDharma.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\downloads\ac\nc123.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4108"C:\Users\admin\Downloads\Dharma.exe" C:\Users\admin\Downloads\Dharma.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\dharma.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
Total events
16 817
Read events
15 370
Write events
1 242
Delete events
205

Modification events

(PID) Process:(4108) Dharma.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR SFX
Operation:writeName:ac
Value:
ac
(PID) Process:(680) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mssqlaq
Operation:writeName:Type
Value:
1
(PID) Process:(680) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mssqlaq
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(680) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mssqlaq
Operation:writeName:Start
Value:
1
(PID) Process:(680) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mssqlaq
Operation:writeName:ImagePath
Value:
\??\C:\Users\admin\Downloads\ac\mssqlaq.sys
(PID) Process:(680) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mssqlaq
Operation:delete keyName:(default)
Value:
(PID) Process:(680) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vezzsxozybasukco.sys
Operation:delete keyName:(default)
Value:
(PID) Process:(680) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\vezzsxozybasukco.sys
Operation:delete keyName:(default)
Value:
(PID) Process:(680) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vezzsxozybasukco
Operation:delete keyName:(default)
Value:
(PID) Process:(680) mssql.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vezzsxozybasukco
Operation:writeName:Type
Value:
1
Executable files
29
Suspicious files
44
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
4108Dharma.exeC:\Users\admin\Downloads\ac\nc123.exeexecutable
MD5:597DE376B1F80C06D501415DD973DCEC
SHA256:F47E3555461472F23AB4766E4D5B6F6FD260E335A6ABC31B860E569A720A5446
680mssql.exeC:\Users\admin\Downloads\ac\mssql.sysexecutable
MD5:B2233D1EFB0B7A897EA477A66CD08227
SHA256:5FD17E3B8827B5BB515343BC4066BE0814F6466FB4294501BECAC284A378C0DA
680mssql.exeC:\Users\admin\Downloads\ac\mssqlaq.sysexecutable
MD5:B2233D1EFB0B7A897EA477A66CD08227
SHA256:5FD17E3B8827B5BB515343BC4066BE0814F6466FB4294501BECAC284A378C0DA
4108Dharma.exeC:\Users\admin\Downloads\ac\systembackup.battext
MD5:B4B2F1A6C7A905781BE7D877487FC665
SHA256:6246B0045CA11DA483E38317421317DC22462A8D81E500DEE909A5269C086B5F
4108Dharma.exeC:\Users\admin\Downloads\ac\unlocker.exeexecutable
MD5:5840AA36B70B7C03C25E5E1266C5835B
SHA256:09D7FCBF95E66B242FF5D7BC76E4D2C912462C8C344CB2B90070A38D27AAEF53
680mssql.exeC:\Users\admin\Downloads\ac\ljlvyjygunltfdh.sysexecutable
MD5:B2233D1EFB0B7A897EA477A66CD08227
SHA256:5FD17E3B8827B5BB515343BC4066BE0814F6466FB4294501BECAC284A378C0DA
680mssql.exeC:\Users\admin\Downloads\ac\axzhigrurgknxjlgh.sysexecutable
MD5:B2233D1EFB0B7A897EA477A66CD08227
SHA256:5FD17E3B8827B5BB515343BC4066BE0814F6466FB4294501BECAC284A378C0DA
680mssql.exeC:\Users\admin\Downloads\ac\btbojyrutchggnub.sysexecutable
MD5:B2233D1EFB0B7A897EA477A66CD08227
SHA256:5FD17E3B8827B5BB515343BC4066BE0814F6466FB4294501BECAC284A378C0DA
4108Dharma.exeC:\Users\admin\Downloads\ac\EVER\1saas\1sass.exeexecutable
MD5:0880430C257CE49D7490099D2A8DD01A
SHA256:056C3790765F928E991591CD139384B6680DF26313A73711ADD657ABC369028C
4108Dharma.exeC:\Users\admin\Downloads\ac\EVER\1saas\LogDelete.exeexecutable
MD5:6CA170ECE252721ED6CC3CFA3302D6F0
SHA256:F3A23E5E9A7CAEFCC81CFE4ED8DF93FF84D5D32C6C63CDBB09F41D84F56A4126
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
36
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7236
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7276
WINWORD.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
7236
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7276
WINWORD.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3956
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
7816
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3956
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3956
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
7236
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 2.16.253.202
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
roaming.officeapps.live.com
  • 52.109.68.129
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Dharma.exe