description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	h13Dw68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	h13Dw68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	h13Dw68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	h13Dw68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	h13Dw68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	h13Dw68.exe

resource	yara_rule
behavioral2/memory/940-155-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-156-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-158-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-160-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-162-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-164-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-166-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-168-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-170-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-172-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-174-0x0000000004D10000-0x0000000004D20000-memory.dmp	family_redline
behavioral2/memory/940-176-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-179-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-181-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-183-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-185-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-187-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-189-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-191-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-193-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-195-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-197-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-199-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-201-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-203-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-205-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-207-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-209-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-211-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-213-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-215-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-219-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-221-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline
behavioral2/memory/940-217-0x0000000004C20000-0x0000000004C5E000-memory.dmp	family_redline

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3572c9b19e8c36dd9d0307b08511c0b1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	niba0550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	niba0550.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3572c9b19e8c36dd9d0307b08511c0b1.exe

pid	Process
2732	h13Dw68.exe
2732	h13Dw68.exe
940	iYIoK56.exe
940	iYIoK56.exe
1620	l90Kg54.exe
1620	l90Kg54.exe

description	pid	Process
Token: SeDebugPrivilege	2732	h13Dw68.exe
Token: SeDebugPrivilege	940	iYIoK56.exe
Token: SeDebugPrivilege	1620	l90Kg54.exe

description	pid	Process	procid_target
PID 2284 wrote to memory of 788	2284	3572c9b19e8c36dd9d0307b08511c0b1.exe	86
PID 2284 wrote to memory of 788	2284	3572c9b19e8c36dd9d0307b08511c0b1.exe	86
PID 2284 wrote to memory of 788	2284	3572c9b19e8c36dd9d0307b08511c0b1.exe	86
PID 788 wrote to memory of 2732	788	niba0550.exe	87
PID 788 wrote to memory of 2732	788	niba0550.exe	87
PID 788 wrote to memory of 940	788	niba0550.exe	94
PID 788 wrote to memory of 940	788	niba0550.exe	94
PID 788 wrote to memory of 940	788	niba0550.exe	94
PID 2284 wrote to memory of 1620	2284	3572c9b19e8c36dd9d0307b08511c0b1.exe	104
PID 2284 wrote to memory of 1620	2284	3572c9b19e8c36dd9d0307b08511c0b1.exe	104
PID 2284 wrote to memory of 1620	2284	3572c9b19e8c36dd9d0307b08511c0b1.exe	104

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.