Multi-License Discount Quote

Change Region

English
Threat Database Ransomware Medusa.D Ransomware

Medusa.D Ransomware

By CagedTech in Ransomware

Analysis Report

General information

Family Name: Medusa.D Ransomware
Signature status: No Signature

Known Samples

MD5: 0ca1ad241b53091cc3cc2666c0fc42a4
SHA1: 2cceda840a5f2a10decd2ee7f78772201d0a77c9
File Size: 753.66 KB, 753664 bytes
MD5: 9c56edeff11daddbd4b18ac738a591a4
SHA1: 2bcf5748736a70e565a3e1d65abf949140e1214b
SHA256: 8A3A8715BFB5218770AB9D97CE552C0E2F415B895B90339735ED1A1A93355F69
File Size: 753.66 KB, 753664 bytes
MD5: cd2424e55fdcba12cd9ddda9c8c2b283
SHA1: 1bebe5278bee9c8ad73522685bf8562f83fd9f46
SHA256: C966ACE15BECE19A119231DFAA2494F14200647FC7CB225667FB22CBB41436FD
File Size: 757.76 KB, 757760 bytes
MD5: b941e4278a9ef3e536b7941cd8524956
SHA1: b18589d377839d0e654ebdb5daaf432b2e8af939
SHA256: 63B1AB3FCBD10CC95593FAEAF57BED9565189F203ED249F69CCB37A97BE30339
File Size: 761.86 KB, 761856 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Traits

  • GetConsoleWindow
  • HighEntropy
  • No Version Info
  • x64

Block Information

Total Blocks: 2,060
Potentially Malicious Blocks: 153
Whitelisted Blocks: 1,907
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x 0 x x 0 0 x x x 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x x x x x 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x x x x 0 0 x x 0 x x x x x x x x x x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 1 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 x x x x x x x x x 0 0 0 0 0 0 x x x x x 0 x x 0 0 0 0 0 0 0 0 0 x x x 0 x x x x x x x x 0 0 0 x 0 0 0 0 0 x x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 0 0 0 x 0 x 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x 0 x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Medusa.D

Files Modified

File Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\$recycle.bin\how_to_recover_data.html Generic Write,Read Attributes
c:\$recycle.bin\read_note.html Generic Write,Read Attributes
c:\$recycle.bin\recovery_readme.html Generic Write,Read Attributes
c:\$winreagent\how_to_recover_data.html Generic Write,Read Attributes
c:\$winreagent\read_note.html Generic Write,Read Attributes
c:\$winreagent\recovery_readme.html Generic Write,Read Attributes
c:\bootmgr Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bootmgr Synchronize,Write Attributes
Show More
c:\bootmgr.cryfile2 Synchronize,Write Data
c:\bootmgr.karma1 Synchronize,Write Data
c:\bootmgr.prey01 Synchronize,Write Data
c:\dumpstack.log.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\common files\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\alphabet.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\alphabet.xml.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\alphabet.xml.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\ar-sa\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\ar-sa\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\ar-sa\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\ar-sa\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\ar-sa\tipresx.dll.mui.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\bg-bg\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\bg-bg\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\bg-bg\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\bg-bg\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\bg-bg\tipresx.dll.mui.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\content.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\content.xml.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\content.xml.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\cs-cz\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\cs-cz\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\cs-cz\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\cs-cz\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\cs-cz\tipresx.dll.mui.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\da-dk\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\da-dk\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\da-dk\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\da-dk\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\da-dk\tipresx.dll.mui.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\de-de\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\de-de\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\de-de\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\de-de\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\de-de\tipresx.dll.mui.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\el-gr\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\el-gr\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\el-gr\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\el-gr\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\el-gr\tipresx.dll.mui.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-gb\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\en-gb\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\en-gb\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-gb\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-gb\tipresx.dll.mui.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\en-us\inkobj.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-us\inkobj.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\inkobj.dll.mui.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\inputpersonalization.exe.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-us\inputpersonalization.exe.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\inputpersonalization.exe.mui.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\micaut.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-us\micaut.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\micaut.dll.mui.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\mip.exe.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-us\mip.exe.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\mip.exe.mui.prey01 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\mshwlatin.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-us\mshwlatin.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\en-us\rtscom.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-us\rtscom.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\shapecollector.exe.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-us\shapecollector.exe.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\tabskb.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-us\tabskb.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\tabtip.exe.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-us\tabtip.exe.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\tipres.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-us\tipres.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-us\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\en-us\tiptsf.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\en-us\tiptsf.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\es-es\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\es-es\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\es-es\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\es-mx\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\es-mx\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\es-mx\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\et-ee\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\et-ee\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\et-ee\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\fi-fi\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fi-fi\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fi-fi\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\fr-ca\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fr-ca\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fr-ca\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\fr-fr\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fr-fr\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fr-fr\tipresx.dll.mui.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fsdefinitions\insert\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fsdefinitions\main.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base.xml.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_ca.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fsdefinitions\main\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.cryfile2 Synchronize,Write Data
c:\program files\common files\microsoft shared\ink\fsdefinitions\osknav\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\fsdefinitions\osknumpad\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fsdefinitions\oskpred\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fsdefinitions\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\he-il\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\he-il\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\hr-hr\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\hr-hr\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\hu-hu\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\hu-hu\tipresx.dll.mui Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\hwrcommonlm.dat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\hwrenclm.dat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\hwrenuslm.dat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\hwrlatinlm.dat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\hwrusash.dat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\ipsar.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\it-it\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\ja-jp\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\ko-kr\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\lt-lt\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\lv-lv\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\ink\read_note.html Generic Write,Read Attributes
c:\program files\common files\microsoft shared\read_note.html Generic Write,Read Attributes
c:\program files\common files\read_note.html Generic Write,Read Attributes
c:\program files\how_to_recover_data.html Generic Write,Read Attributes
c:\program files\read_note.html Generic Write,Read Attributes
c:\read_note.html Generic Write,Read Attributes
c:\recovery\reagentold.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\recovery\reagentold.xml.karma1 Synchronize,Write Data
c:\recovery\recovery_readme.html Generic Write,Read Attributes
c:\recovery_readme.html Generic Write,Read Attributes
c:\sandbox_local\d0bd0ef4dd0f58bc483ef23772ca1b08bfeaa926_0003367424 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\sandbox_local\d0bd0ef4dd0f58bc483ef23772ca1b08bfeaa926_0003367424.karma1 Synchronize,Write Data
c:\sandbox_local\recovery_readme.html Generic Write,Read Attributes
c:\sandbox_stage\logs\recovery_readme.html Generic Write,Read Attributes
c:\sandbox_stage\mnt\nas\recovery_readme.html Generic Write,Read Attributes
c:\sandbox_stage\mnt\recovery_readme.html Generic Write,Read Attributes
c:\sandbox_stage\recovery_readme.html Generic Write,Read Attributes
c:\users\user\downloads\output.bmp Generic Write,Read Attributes
c:\windows\logs\windowsbackup\wbengine.0.etl Generic Read,Write Data
c:\windows\logs\windowsbackup\wbengine.1.etl Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\logs\windowsbackup\wbengine.1.etl Synchronize,Write Data
c:\windows\logs\windowsbackup\wbengine.2.etl Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\logs\windowsbackup\wbengine.3.etl Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\paidmemes::public BgIAAACkAABSU0ExAAgAAAEAAQBdlvMoWaw8Cveru6mXj3gjgz32DEJbs5bKQxwKFQluPv5OU30Tq6AOtyfwZHJjkmI97aVqZT3r2EMrFVScMn8v6y8OWdTFOwJZP0xb RegNtPreCreateKey
HKCU\software\paidmemes::private VtTm+U5NQ1RFeVl0N51TaB0s0gkAX0O2AYnLyQDhZR4DgLmqJiBe0htvw0kUJAEVEYsgBlKfcX/B0mTDUSb0PzdLxcHn2D3b5obgKttoldZI6eItFReKtteBP7Gla+ot RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::babylockerkz "c:\users\user\downloads\2cceda840a5f2a10decd2ee7f78772201d0a77c9_0000753664" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 蓥ؽǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 밟蓫ؽǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 蔇ؽǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 蝍蕔ؽǜ RegNtPreCreateKey
HKCU\software\paidmemes::public BgIAAACkAABSU0ExAAgAAAEAAQBBCBSoGjBYqlFa0WcL7u1nqg2xrh0p3HeYez1Ho4Xaa158+tNWMCYSEMNrEQYeuWaR/bzuLO8eNiW10o8NDdil0bvOoKZbkDCf0E7i RegNtPreCreateKey
HKCU\software\paidmemes::private vs0HC68Wiz6K6PHdLcfE801s+SKX8U9Cx22Byk7MnOT461W5umU99MuUU7YQ6yxLHTySgxw+1WbL5EfNRBj6YihLS63DiWpBMdHiFacybUV0MHTfA32K6/nx5xRlOHnZ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::babylockerkz "c:\users\user\downloads\1bebe5278bee9c8ad73522685bf8562f83fd9f46_0000757760" RegNtPreCreateKey
Show More
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ଟ쁛勠ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 삅勠ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ࢧ삙勠ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 谺섞勠ǜ RegNtPreCreateKey
HKCU\software\paidmemes::public BgIAAACkAABSU0ExAAgAAAEAAQDt0toaX8W41GmygPvyyCxUB+yh6r2siHiZggwNls+7BKz5z63KPXUJtpScEHLbuU4KrqFn4Wqn/agdEPBIp7wrcnuAM/1NSUmj/Ug1 RegNtPreCreateKey
HKCU\software\paidmemes::private ygwt79Q2nswSxW4F9PzuU3Wqs6TRm/k6Uf9zebLk128jj/fVVGuB/EtSs0AeVrWv3yCPxXR+XLzRBMX1m+mSX9/7PLiz2iRaIUMUCASnD2Fc7q2ZudjH5FyeKapyA8Iq RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::babylockerkz "c:\users\user\downloads\b18589d377839d0e654ebdb5daaf432b2e8af939_0000761856" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ሬ熬ꍝǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 锷爱ꍝǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe Ớ爻ꍝǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 牞ꍝǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • ntdll.dll!NtYieldExecution
  • UNKNOWN
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiGetBitmapBits
  • win32u.dll!NtGdiGetCharSet
  • win32u.dll!NtGdiGetGlyphIndicesW
  • win32u.dll!NtGdiGetRealizationInfo
  • win32u.dll!NtGdiGetWidthTable
  • win32u.dll!NtGdiHfontCreate
  • win32u.dll!NtGdiPolyPatBlt
  • win32u.dll!NtGdiQueryFontAssocInfo
  • win32u.dll!NtGdiSelectBitmap
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Network Urlomon
  • URLDownloadToFile
User Data Access
  • GetComputerName
  • GetComputerNameEx
Keyboard Access
  • GetAsyncKeyState
Process Shell Execute
  • CreateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection

Shell Command Execution

\\?\C:\WINDOWS\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
\\?\C:\WINDOWS\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
\\?\C:\WINDOWS\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
\\?\C:\WINDOWS\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
Show More
C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
C:\WINDOWS\system32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
C:\WINDOWS\system32\wbadmin.exe wbadmin delete backup -keepVersion:0 -quiet
C:\WINDOWS\System32\Wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive"
C:\WINDOWS\system32\bcdedit.exe bcdedit.exe /set {default} recoverynabled No

Trending

Most Viewed

Loading...