{
	"id": "8a75050e-c7dc-4a15-9595-a7b7d4b2daae",
	"created_at": "2026-04-06T00:16:33.890842Z",
	"updated_at": "2026-04-10T03:20:07.207029Z",
	"deleted_at": null,
	"sha1_hash": "170729f020c1163c9e6fadbea4063456a45dd216",
	"title": "New Mimic Ransomware Abuses Everything APIs for its Encryption Process",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 470222,
	"plain_text": "New Mimic Ransomware Abuses Everything APIs for its\r\nEncryption Process\r\nBy Nathaniel Morales, Earle Maui Earnshaw, Don Ovid Ladores, Nick Dai, Nathaniel Gregory Ragasa ( words)\r\nPublished: 2023-01-26 · Archived: 2026-04-05 21:33:27 UTC\r\nRansomware\r\nTrend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything,\r\na Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for\r\nminimal resource usage.\r\nBy: Nathaniel Morales, Earle Maui Earnshaw, Don Ovid Ladores, Nick Dai, Nathaniel Gregory Ragasa Jan 26,\r\n2023 Read time: 5 min (1240 words)\r\nSave to Folio\r\nTrend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything,\r\na Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for\r\nminimal resource usage. This ransomware (which we named Mimic based on a string we found in its binaries),\r\nwas first observed in the wild in June 2022 and targets Russian and English-speaking users. It is equipped with\r\nmultiple capabilities such as deleting shadow copies, terminating multiple applications and services, and abusing\r\nEverything32.dll functions to query target files that are to be encrypted. \r\nIn this blog entry, we will take a closer look at the Mimic ransomware, its components and functions, and its\r\nconnection to the Conti builder that was leaked in early 2022.\r\nArrival and components\r\nMimic arrives as an executable that drops multiple binaries and a password-protected archive (disguised as\r\nEverything64.dll) which when extracted, contains the ransomware payload. It also includes tools that are used for\r\nturning off Windows defender and legitimate sdel binaries. \r\nFilename Description\r\n7za.exe Legitimate 7zip file that is used to extract the payload\r\nEverything.exe Legitimate Everything application\r\nEverything32.dll Legitimate Everything application\r\nEverything64.dll Password protected archive that contains the malicious payloads\r\nhttps://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\r\nPage 1 of 8\n\nTable 1. Details of the Mimic ransomware components\r\nWhen executed, it will first drop its components to the %Temp%/7zipSfx folder. It will then extract the password\r\nprotected Everything64.dll to the same directory using the dropped 7za.exe via the following command:\r\n%Temp%\\7ZipSfx.000\\7za.exe\" x -y -p20475326413135730160 Everything64.dll\r\nIt will also drop the session key file session.tmp to the same directory, which will be used for continuing the\r\nencryption in case the process is interrupted.\r\nIt will then copy the dropped files to “%LocalAppData%\\{Random GUID}\\”, after which the ransomware will be\r\nrenamed to bestplacetolive.exe and the original files deleted from the %Temp% directory.\r\nBased on our analysis, Mimic supports other command line arguments as shown in table 2.\r\nCmdline\r\noption\r\nAcceptable values Description\r\n-dir \r\nFile path to be\r\nencrypted\r\nDirectory for encryption \r\n-e\r\nall\r\nlocal\r\nnet\r\nwatch\r\nul1\r\nul2\r\nEncrypt all (Default)\r\nEncrypt Local files \r\nEncrypt files on Network shares\r\nul:unlocker \r\nCreates a thread with interprocess communication and\r\ntries\r\nto unlock certain memory addresses from another process \r\n-prot   Protects the ransomware from being killed\r\n-pid \u003cinteger\u003e\r\nThe process identifier (PID) of the previously-running\r\nransomware.\r\nTable 2. Arguments accepted by Mimic ransomware\r\nMimic ransomware analysis\r\nMimic ransomware consists of multiple threads that employ the CreateThread function for faster encryption and\r\nrender analysis more challenging for security researchers.\r\nhttps://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\r\nPage 2 of 8\n\nWhen executed, it will first register a hotkey (Ctrl + F1, using the RegisterHotKey API) that displays the status\r\nlogs being performed by the ransomware.\r\nThe ransomware’s config is located at its overlay and is decrypted using the NOT Operation.\r\nFigure 8 shows a more thorough look at the config and its values.\r\nMimic ransomware possesses a plethora of capabilities, including the following:\r\nCollecting system information\r\nCreating persistence via the RUN key\r\nBypassing User Account Control (UAC)\r\nDisabling Windows Defender\r\nDisabling Windows telemetry\r\nActivating anti-shutdown measures\r\nActivating anti-kill measures\r\nUnmounting Virtual Drives\r\nTerminating processes and services\r\nDisabling sleep mode and shutdown of the system\r\nRemoving indicators\r\nInhibiting System Recovery\r\n \r\nAbusing Everything32 APIs for encryption\r\nMimic uses Everything32.dll, a legitimate Windows filename search engine that can return real time results for\r\nqueries, in its routine. It abuses the tool by querying certain file extensions and filenames using Everything’s APIs\r\nto retrieve the file’s path for encryption.\r\nIt uses the Everything_SetSearchW function to search for files to be encrypted or avoided using the following\r\nsearch format:\r\nfile:\u003cext:{list of extension}\u003efile:\u003c!endwith:{list of files/directory to avoid}\u003ewholefilename\u003c!{list of files to\r\navoid}\u003e\r\nThe query used by Mimic to search for files to be encrypted or avoided can be found here.\r\nIt then appends the .QUIETPLACE file extension to the encrypted files and, finally, displays the ransom note.\r\nCode from leaked Conti builder\r\nFrom our analysis, some parts of the code seemed to be based on, and share several similarities with the Conti\r\nransomwarenews article builder that was leaked in March 2022. For example, the enumeration of the encryption\r\nmodes shares the same integer for both Mimic and Conti. \r\nhttps://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\r\nPage 3 of 8\n\nopen on a new tab\r\nFigure 13. Similarities between Mimic (top) and the leaked Conti builder (bottom)\r\nThe code related to argument net is also based on Conti. It will use the GetIpNetTable function to read the\r\nAddress Resolution Protocol (ARP) cache and check if IP addresses contain “172.”, “192.168”, “10.”, or “169.”\r\nMimic added a filter to exclude IP addresses that contain “169.254”, which is the IP range of Automatic Private IP\r\nAddressing (APIPA).\r\nhttps://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\r\nPage 4 of 8\n\nopen on a new tab\r\nFigure 14. Comparison of the Mimic (top) and the leaked Conti builder (bottom) “net” argument\r\nMimic also uses the Conti code in Windows Share Enumeration, where it employs the NetShareEnum function to\r\nenumerate all shares on the gathered IP addresses. \r\nhttps://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\r\nPage 5 of 8\n\nopen on a new tab\r\nFigure 15. Comparison of the Mimic (top) and the leaked Conti (bottom) Share Enumeration\r\nfunction\r\nFinally, Mimic’s port scanning is also based on the Conti builder.\r\nhttps://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\r\nPage 6 of 8\n\nopen on a new tab\r\nFigure 16. Comparison of the Mimic (top) and leaked Conti builder (bottom) port scanning function\r\nMore information about the behavior of Mimic ransomware can be found in this report.\r\nConclusion\r\nMimic ransomware, with its multiple bundled capabilities, seems to implement a new approach to speeding up its\r\nroutine by combining multiple running threads and abusing Everything’s APIs for its encryption (minimizing\r\nresource usage, therefore resulting in more efficient execution).  Furthermore, the threat actor behind Mimic\r\nseems to be resourceful and technically adept, using a leaked ransomware builder to capitalize on its various\r\nfeatures, and even improve on it for more effective attacks.\r\nTo protect systems from ransomware attacks, we recommend that both individual users and organizations\r\nimplement best practices such as applying data protection, backup, and recovery measures to secure data from\r\npossible encryption or erasure. Conducting regular vulnerability assessments and patching systems in a timely\r\nmanner can also minimize the damage dealt by ransomware that abuse exploits.\r\nA multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web,\r\nand network). The right security solutions can also detect malicious components and suspicious behavior to\r\nprotect enterprises.\r\nhttps://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\r\nPage 7 of 8\n\nTrend Micro Vision One™one-platform provides multilayered protection and behavior detection, which\r\nhelps block questionable behavior and tools early on before the ransomware can do irreversible damage to\r\nthe system.\r\nTrend Micro Cloud One™ Workload Securityproducts protects systems against both known and unknown\r\nthreats that exploit vulnerabilities. This protection is made possible through techniques such as virtual\r\npatching and machine learning. \r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced\r\nanalysis techniques to effectively block malicious emails, including phishing emails that can serve as entry\r\npoints for ransomware.\r\nTrend Micro Apex One™products offers next-level automated threat detection and response against\r\nadvanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\n \r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\r\nhttps://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html"
	],
	"report_names": [
		"new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434593,
	"ts_updated_at": 1775791207,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/170729f020c1163c9e6fadbea4063456a45dd216.pdf",
		"text": "https://archive.orkl.eu/170729f020c1163c9e6fadbea4063456a45dd216.txt",
		"img": "https://archive.orkl.eu/170729f020c1163c9e6fadbea4063456a45dd216.jpg"
	}
}