hakbit | 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

Analysis

max time kernel
170s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
31-01-2022 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
Size

199KB
MD5

39c2a62f7024297c25f9a7b4157aba4c
SHA1

30c5c20fbfbd60442b963109ab257ee1969f7f88
SHA256

9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2
SHA512

502ef61a42a3575227284dcb43b2936772de9f97bec98345f0b9c93ae66c861d451440a07d8f86fb3130d499dc5bc56d3c5398c38346e6b3aa3c7614d9069236

Score

10^/10

hakbit persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Ransom Note

Atention! all your important files were encrypted! to get your files back you have to send Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: [email protected]. Bitcoin wallet to make the transfer to is: 1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ hzqjGuzQ7/r+2HJj6VC4GV/HaM45Q8DtOcIp2HiHxz4Njc9uX7v7K3Xgjp9oMms44DoGYh1Qy7FAEpyMMx6IOrRkEJ61nwkXSlhSc1GLmg5Lk0PdKsd9bbcrSlsTzv6b+bD1ZFcYgptdzKIp1Wb7kPDqPKE8uwhaWYU2pg5PNW9AAM3icPz4PFcpwBZI7G2B52cKa+yh32CPk5KWpKaZlaLjOaXe+4IzgCCbemnZ9+Zorn02SJuSL8w8/7LsCCc+mrfU922L135ikrdnS7hht1EngyuM6zClwlzL/68rZZg8KIA70haa3d3PkEwo401sVSZSgl9wbw0fkzBTJv9l/Q== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: payment): 4

Emails

[email protected]

Wallets

1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3800 set thread context of 3896	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	66

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
224	taskkill.exe
1876	taskkill.exe
2808	taskkill.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3504	notepad.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
Token: SeDebugPrivilege	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 3600	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	64
PID 3800 wrote to memory of 3600	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	64
PID 3800 wrote to memory of 3600	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	64
PID 3800 wrote to memory of 1288	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	65
PID 3800 wrote to memory of 1288	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	65
PID 3800 wrote to memory of 1288	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	65
PID 3800 wrote to memory of 3896	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	66
PID 3800 wrote to memory of 3896	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	66
PID 3800 wrote to memory of 3896	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	66
PID 3800 wrote to memory of 3896	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	66
PID 3800 wrote to memory of 3896	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	66
PID 3800 wrote to memory of 3896	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	66
PID 3800 wrote to memory of 3896	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	66
PID 3800 wrote to memory of 3896	3800	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	66
PID 3896 wrote to memory of 3872	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	67
PID 3896 wrote to memory of 3872	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	67
PID 3896 wrote to memory of 3872	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	67
PID 3872 wrote to memory of 2516	3872	net.exe	69
PID 3872 wrote to memory of 2516	3872	net.exe	69
PID 3872 wrote to memory of 2516	3872	net.exe	69
PID 3896 wrote to memory of 1840	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	70
PID 3896 wrote to memory of 1840	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	70
PID 3896 wrote to memory of 1840	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	70
PID 1840 wrote to memory of 2132	1840	net.exe	72
PID 1840 wrote to memory of 2132	1840	net.exe	72
PID 1840 wrote to memory of 2132	1840	net.exe	72
PID 3896 wrote to memory of 4088	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	73
PID 3896 wrote to memory of 4088	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	73
PID 3896 wrote to memory of 4088	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	73
PID 4088 wrote to memory of 3360	4088	net.exe	75
PID 4088 wrote to memory of 3360	4088	net.exe	75
PID 4088 wrote to memory of 3360	4088	net.exe	75
PID 3896 wrote to memory of 1244	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	76
PID 3896 wrote to memory of 1244	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	76
PID 3896 wrote to memory of 1244	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	76
PID 1244 wrote to memory of 1248	1244	net.exe	78
PID 1244 wrote to memory of 1248	1244	net.exe	78
PID 1244 wrote to memory of 1248	1244	net.exe	78
PID 3896 wrote to memory of 1632	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	79
PID 3896 wrote to memory of 1632	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	79
PID 3896 wrote to memory of 1632	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	79
PID 1632 wrote to memory of 3436	1632	net.exe	81
PID 1632 wrote to memory of 3436	1632	net.exe	81
PID 1632 wrote to memory of 3436	1632	net.exe	81
PID 3896 wrote to memory of 3468	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	82
PID 3896 wrote to memory of 3468	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	82
PID 3896 wrote to memory of 3468	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	82
PID 3896 wrote to memory of 912	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	84
PID 3896 wrote to memory of 912	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	84
PID 3896 wrote to memory of 912	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	84
PID 3896 wrote to memory of 3952	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	86
PID 3896 wrote to memory of 3952	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	86
PID 3896 wrote to memory of 3952	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	86
PID 3896 wrote to memory of 2744	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	88
PID 3896 wrote to memory of 2744	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	88
PID 3896 wrote to memory of 2744	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	88
PID 3896 wrote to memory of 224	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	90
PID 3896 wrote to memory of 224	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	90
PID 3896 wrote to memory of 224	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	90
PID 3896 wrote to memory of 1876	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	92
PID 3896 wrote to memory of 1876	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	92
PID 3896 wrote to memory of 1876	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	92
PID 3896 wrote to memory of 2808	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	94
PID 3896 wrote to memory of 2808	3896	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	94

C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
"C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
  "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
  2⤵
  PID:3600
- C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
  "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
  2⤵
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
  "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop avpsus /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:2516
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:2132
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mfewc /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:3360
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:1248
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:3436
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:912
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
    3⤵
    PID:3924
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2304

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 81bf57d6effcaa8c73fc8e38da33526d Uw/7oEepo0arbvGyPr1SyQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:3968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3800-130-0x0000000000D30000-0x0000000000D68000-memory.dmp

Filesize
224KB

Download
memory/3800-131-0x000000000DA10000-0x000000000DFB4000-memory.dmp

Filesize
5.6MB

Download
memory/3800-132-0x000000000D500000-0x000000000D592000-memory.dmp

Filesize
584KB

Download
memory/3800-133-0x0000000004990000-0x0000000004C50000-memory.dmp

Filesize
2.8MB

Download
memory/3800-134-0x000000000D4B0000-0x000000000D4BA000-memory.dmp

Filesize
40KB

Download
memory/3800-135-0x000000000D710000-0x000000000D786000-memory.dmp

Filesize
472KB

Download
memory/3800-259-0x00000000008C0000-0x00000000008DE000-memory.dmp

Filesize
120KB

Download
memory/3896-260-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3896-261-0x0000000004960000-0x0000000004971000-memory.dmp

Filesize
68KB

Download