up

_posts/Malware Analyze/2023-12-31-dharma-ransomware-family.md

@@ -47,7 +47,7 @@ Here is the table for better presentation; we will try to examine each of the po
 |------------|------------------------------------------------------------|--------------------------------------------------------|
 | MALICIOUS  | Drops the executable file immediately after the start    | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
 | MALICIOUS  | [Create files in the Startup directory](#startup)                     | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
-| MALICIOUS  | Deletes shadow copies                                      | cmd.exe (PID: 2320), cmd.exe (PID: 7020), cmd.exe (PID: 5220) |
+| MALICIOUS  | [Deletes shadow copies](#delete-shadow)                                      | cmd.exe (PID: 2320), cmd.exe (PID: 7020), cmd.exe (PID: 5220) |
 | MALICIOUS  | [Creates a writable file in the system directory](#startup)           | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
 | MALICIOUS  | Actions looks like stealing of personal data               | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
 | SUSPICIOUS | [Starts CMD.EXE for commands execution](#delete-shadow)                     | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
@@ -257,3 +257,7 @@ C:\\Windows\\system32\\cmd.exe" "mode con cp select=1251\nvssadmin delete shadow
 <a id="read-computer-name"></a>
 
 ![image](/images/dharma/dharma-10.png)
+
+## Encryption files
+
+![image](/images/dharma/dharma-crypt-file.png)