description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr487695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr487695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr487695.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr487695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr487695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr487695.exe

resource	yara_rule
behavioral1/memory/4840-158-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-159-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-161-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-163-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-165-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-167-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-169-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-171-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-173-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-175-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-177-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-179-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-181-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-183-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-185-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-187-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-189-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-191-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-193-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-195-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-197-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-199-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-201-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-203-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-205-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-207-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-209-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-211-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-213-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-215-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-217-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-219-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline
behavioral1/memory/4840-221-0x0000000003AA0000-0x0000000003ADF000-memory.dmp	family_redline

pid	Process
4160	ziWb3664.exe
4124	jr487695.exe
4840	ku927546.exe
3380	lr315463.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7aaee224559608d8c305b6016b0461200dc88758ef46374b1eb3df3a8cc6114d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7aaee224559608d8c305b6016b0461200dc88758ef46374b1eb3df3a8cc6114d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziWb3664.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziWb3664.exe

description	pid	Process
Token: SeDebugPrivilege	4124	jr487695.exe
Token: SeDebugPrivilege	4840	ku927546.exe
Token: SeDebugPrivilege	3380	lr315463.exe

description	pid	Process	procid_target
PID 5088 wrote to memory of 4160	5088	7aaee224559608d8c305b6016b0461200dc88758ef46374b1eb3df3a8cc6114d.exe	79
PID 5088 wrote to memory of 4160	5088	7aaee224559608d8c305b6016b0461200dc88758ef46374b1eb3df3a8cc6114d.exe	79
PID 5088 wrote to memory of 4160	5088	7aaee224559608d8c305b6016b0461200dc88758ef46374b1eb3df3a8cc6114d.exe	79
PID 4160 wrote to memory of 4124	4160	ziWb3664.exe	80
PID 4160 wrote to memory of 4124	4160	ziWb3664.exe	80
PID 4160 wrote to memory of 4840	4160	ziWb3664.exe	81
PID 4160 wrote to memory of 4840	4160	ziWb3664.exe	81
PID 4160 wrote to memory of 4840	4160	ziWb3664.exe	81
PID 5088 wrote to memory of 3380	5088	7aaee224559608d8c305b6016b0461200dc88758ef46374b1eb3df3a8cc6114d.exe	87
PID 5088 wrote to memory of 3380	5088	7aaee224559608d8c305b6016b0461200dc88758ef46374b1eb3df3a8cc6114d.exe	87
PID 5088 wrote to memory of 3380	5088	7aaee224559608d8c305b6016b0461200dc88758ef46374b1eb3df3a8cc6114d.exe	87

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.