5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

Resubmissions

16/03/2025, 00:42

250316-a2mdxs1jv4 1

16/03/2025, 00:35

250316-axnq7azrv5 10

16/03/2025, 00:32

250316-avvfyszrs2 6

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16/03/2025, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoMoreRansom.zip
Size

916KB
MD5

f315e49d46914e3989a160bbcfc5de85
SHA1

99654bfeaad090d95deef3a2e9d5d021d2dc5f63
SHA256

5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7
SHA512

224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e
SSDEEP

24576:+FhIdZxByAl+XiqNk6n3DaeCTLD1yilc7KrBVw1lFVFDqE/zQRsAOfySS:AhAgo2ikhryLD1hcerklFVhqEMiAuySS

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a05d5a150b96db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000002dc1240b96db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
580	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	taskmgr.exe
Token: SeManageVolumePrivilege	2616	SearchIndexer.exe
Token: 33	2616	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2616	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe
580	taskmgr.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2120	SearchProtocolHost.exe
2120	SearchProtocolHost.exe
2120	SearchProtocolHost.exe
2120	SearchProtocolHost.exe
2120	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
2120	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe
1596	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2120	2616	SearchIndexer.exe	35
PID 2616 wrote to memory of 2120	2616	SearchIndexer.exe	35
PID 2616 wrote to memory of 2120	2616	SearchIndexer.exe	35
PID 2616 wrote to memory of 2140	2616	SearchIndexer.exe	36
PID 2616 wrote to memory of 2140	2616	SearchIndexer.exe	36
PID 2616 wrote to memory of 2140	2616	SearchIndexer.exe	36
PID 2616 wrote to memory of 1596	2616	SearchIndexer.exe	37
PID 2616 wrote to memory of 1596	2616	SearchIndexer.exe	37
PID 2616 wrote to memory of 1596	2616	SearchIndexer.exe	37
PID 2616 wrote to memory of 2956	2616	SearchIndexer.exe	41
PID 2616 wrote to memory of 2956	2616	SearchIndexer.exe	41
PID 2616 wrote to memory of 2956	2616	SearchIndexer.exe	41

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.zip
1⤵
PID:1084

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2704

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:580

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2120
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  - Modifies data under HKEY_USERS
  PID:2140
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1596
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:2956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
memory/580-0-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/580-68-0x0000000001FE0000-0x0000000001FF0000-memory.dmp

Filesize
64KB

Download
memory/580-65-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2616-46-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/2616-73-0x0000000003280000-0x0000000003288000-memory.dmp

Filesize
32KB

Download
memory/2616-52-0x0000000001130000-0x0000000001138000-memory.dmp

Filesize
32KB

Download
memory/2616-54-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2616-63-0x0000000002B90000-0x0000000002B98000-memory.dmp

Filesize
32KB

Download
memory/2616-1-0x0000000001780000-0x0000000001790000-memory.dmp

Filesize
64KB

Download
memory/2616-17-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/2616-40-0x0000000001130000-0x0000000001138000-memory.dmp

Filesize
32KB

Download
memory/2616-77-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/2616-83-0x0000000003600000-0x0000000003608000-memory.dmp

Filesize
32KB

Download
memory/2616-84-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/2616-87-0x00000000035F0000-0x00000000035F8000-memory.dmp

Filesize
32KB

Download
memory/2616-89-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2616-97-0x0000000005210000-0x0000000005218000-memory.dmp

Filesize
32KB

Download
memory/2616-98-0x0000000005270000-0x0000000005278000-memory.dmp

Filesize
32KB

Download
memory/2616-99-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download