This rule is designed to detect the modification of the code page using the "mode.com" utility specifically targeting changes to the Russian language Code Page. The behavior is associated with threat actors, particularly those linked to Dharma ransomware, who may leverage this technique to evade detection while executing malicious activities. By checking process creation logs for commands that include the specify strings and conditions, the rule aims to identify unauthorized or suspicious use of the mode command that signifies a shift to the Russian code page. The detection focuses on the execution of the mode command with specific parameters indicative of Russian code page settings, thus enabling organizations to respond to possible evasive actions employed by an attacker.