description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	3348	rundll32.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5988	3348	rundll32.exe	20

resource	yara_rule
behavioral7/memory/4808-398-0x0000000004AB0000-0x0000000004FAE000-memory.dmp	family_redline
behavioral7/memory/5796-420-0x000000000041C5E2-mapping.dmp	family_redline

resource	yara_rule
behavioral7/files/0x000400000001ab32-179.dat	family_socelars
behavioral7/files/0x000400000001ab32-152.dat	family_socelars

resource	yara_rule
behavioral7/memory/64-207-0x0000000003490000-0x0000000003561000-memory.dmp	family_vidar
behavioral7/memory/64-229-0x0000000000400000-0x00000000017F4000-memory.dmp	family_vidar

resource	yara_rule
behavioral7/files/0x000400000001ab2b-124.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab2b-125.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab2e-130.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab2e-129.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab2c-128.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab2c-123.dat	aspack_v212_v242

pid	Process
3540	setup_installer.exe
4056	setup_install.exe
4444	Sun152260a303c33a7.exe
3208	Sun15d8dfe2c6d17.exe
1928	Sun15b61bf18b0f1.exe
64	Sun150d896340a863.exe
996	Sun15223697c98.exe
4780	Sun157a449716c8ee483.exe
4768	Sun15b61bf18b0f1.tmp
4872	svchost.exe
4680	Sun150faeb3537d.exe
4940	Sun1584240df9fe73a3.exe

pid	pid_target	Process	procid_target
4100	4780	WerFault.exe	92
520	3968	WerFault.exe	104
1128	4216	WerFault.exe
3256	4780	WerFault.exe	92
4720	4216	WerFault.exe	126
5184	4780	WerFault.exe	92
5596	4216	WerFault.exe	126
5700	4780	WerFault.exe	92
5972	4216	WerFault.exe	126
5924	4808	WerFault.exe	131
6116	4780	WerFault.exe	92
6124	4216	WerFault.exe	126
5420	4216	WerFault.exe	126
5744	4216	WerFault.exe	126
6048	4780	WerFault.exe	92
6116	4780	WerFault.exe	92

description	pid	Process
Token: SeCreateTokenPrivilege	4680	Sun150faeb3537d.exe
Token: SeAssignPrimaryTokenPrivilege	4680	Sun150faeb3537d.exe
Token: SeLockMemoryPrivilege	4680	Sun150faeb3537d.exe
Token: SeIncreaseQuotaPrivilege	4680	Sun150faeb3537d.exe
Token: SeMachineAccountPrivilege	4680	Sun150faeb3537d.exe
Token: SeTcbPrivilege	4680	Sun150faeb3537d.exe
Token: SeSecurityPrivilege	4680	Sun150faeb3537d.exe
Token: SeTakeOwnershipPrivilege	4680	Sun150faeb3537d.exe
Token: SeLoadDriverPrivilege	4680	Sun150faeb3537d.exe
Token: SeSystemProfilePrivilege	4680	Sun150faeb3537d.exe
Token: SeSystemtimePrivilege	4680	Sun150faeb3537d.exe
Token: SeProfSingleProcessPrivilege	4680	Sun150faeb3537d.exe
Token: SeIncBasePriorityPrivilege	4680	Sun150faeb3537d.exe
Token: SeCreatePagefilePrivilege	4680	Sun150faeb3537d.exe
Token: SeCreatePermanentPrivilege	4680	Sun150faeb3537d.exe
Token: SeBackupPrivilege	4680	Sun150faeb3537d.exe
Token: SeRestorePrivilege	4680	Sun150faeb3537d.exe
Token: SeShutdownPrivilege	4680	Sun150faeb3537d.exe
Token: SeDebugPrivilege	4680	Sun150faeb3537d.exe
Token: SeAuditPrivilege	4680	Sun150faeb3537d.exe
Token: SeSystemEnvironmentPrivilege	4680	Sun150faeb3537d.exe
Token: SeChangeNotifyPrivilege	4680	Sun150faeb3537d.exe
Token: SeRemoteShutdownPrivilege	4680	Sun150faeb3537d.exe
Token: SeUndockPrivilege	4680	Sun150faeb3537d.exe
Token: SeSyncAgentPrivilege	4680	Sun150faeb3537d.exe
Token: SeEnableDelegationPrivilege	4680	Sun150faeb3537d.exe
Token: SeManageVolumePrivilege	4680	Sun150faeb3537d.exe
Token: SeImpersonatePrivilege	4680	Sun150faeb3537d.exe
Token: SeCreateGlobalPrivilege	4680	Sun150faeb3537d.exe
Token: 31	4680	Sun150faeb3537d.exe
Token: 32	4680	Sun150faeb3537d.exe
Token: 33	4680	Sun150faeb3537d.exe
Token: 34	4680	Sun150faeb3537d.exe
Token: 35	4680	Sun150faeb3537d.exe
Token: SeDebugPrivilege	4872	svchost.exe

description	pid	Process	procid_target
PID 4364 wrote to memory of 3540	4364	setup_x86_x64_install.exe	74
PID 4364 wrote to memory of 3540	4364	setup_x86_x64_install.exe	74
PID 4364 wrote to memory of 3540	4364	setup_x86_x64_install.exe	74
PID 3540 wrote to memory of 4056	3540	setup_installer.exe	75
PID 3540 wrote to memory of 4056	3540	setup_installer.exe	75
PID 3540 wrote to memory of 4056	3540	setup_installer.exe	75
PID 4056 wrote to memory of 3052	4056	setup_install.exe	78
PID 4056 wrote to memory of 3052	4056	setup_install.exe	78
PID 4056 wrote to memory of 3052	4056	setup_install.exe	78
PID 4056 wrote to memory of 708	4056	setup_install.exe	79
PID 4056 wrote to memory of 708	4056	setup_install.exe	79
PID 4056 wrote to memory of 708	4056	setup_install.exe	79
PID 4056 wrote to memory of 756	4056	setup_install.exe	98
PID 4056 wrote to memory of 756	4056	setup_install.exe	98
PID 4056 wrote to memory of 756	4056	setup_install.exe	98
PID 4056 wrote to memory of 4524	4056	setup_install.exe	80
PID 4056 wrote to memory of 4524	4056	setup_install.exe	80
PID 4056 wrote to memory of 4524	4056	setup_install.exe	80
PID 4056 wrote to memory of 4548	4056	setup_install.exe	83
PID 4056 wrote to memory of 4548	4056	setup_install.exe	83
PID 4056 wrote to memory of 4548	4056	setup_install.exe	83
PID 4056 wrote to memory of 2284	4056	setup_install.exe	81
PID 4056 wrote to memory of 2284	4056	setup_install.exe	81
PID 4056 wrote to memory of 2284	4056	setup_install.exe	81
PID 4056 wrote to memory of 4432	4056	setup_install.exe	82
PID 4056 wrote to memory of 4432	4056	setup_install.exe	82
PID 4056 wrote to memory of 4432	4056	setup_install.exe	82
PID 708 wrote to memory of 4444	708	cmd.exe	84
PID 708 wrote to memory of 4444	708	cmd.exe	84
PID 4056 wrote to memory of 3192	4056	setup_install.exe	97
PID 4056 wrote to memory of 3192	4056	setup_install.exe	97
PID 4056 wrote to memory of 3192	4056	setup_install.exe	97
PID 756 wrote to memory of 3208	756	cmd.exe	96
PID 756 wrote to memory of 3208	756	cmd.exe	96
PID 756 wrote to memory of 3208	756	cmd.exe	96
PID 3052 wrote to memory of 3656	3052	cmd.exe	85
PID 3052 wrote to memory of 3656	3052	cmd.exe	85
PID 3052 wrote to memory of 3656	3052	cmd.exe	85
PID 4548 wrote to memory of 1928	4548	cmd.exe	86
PID 4548 wrote to memory of 1928	4548	cmd.exe	86
PID 4548 wrote to memory of 1928	4548	cmd.exe	86
PID 4524 wrote to memory of 64	4524	cmd.exe	95
PID 4524 wrote to memory of 64	4524	cmd.exe	95
PID 4524 wrote to memory of 64	4524	cmd.exe	95
PID 4056 wrote to memory of 3804	4056	setup_install.exe	94
PID 4056 wrote to memory of 3804	4056	setup_install.exe	94
PID 4056 wrote to memory of 3804	4056	setup_install.exe	94
PID 4056 wrote to memory of 320	4056	setup_install.exe	93
PID 4056 wrote to memory of 320	4056	setup_install.exe	93
PID 4056 wrote to memory of 320	4056	setup_install.exe	93
PID 2284 wrote to memory of 996	2284	cmd.exe	87
PID 2284 wrote to memory of 996	2284	cmd.exe	87
PID 2284 wrote to memory of 996	2284	cmd.exe	87
PID 320 wrote to memory of 4780	320	cmd.exe	92
PID 320 wrote to memory of 4780	320	cmd.exe	92
PID 320 wrote to memory of 4780	320	cmd.exe	92
PID 1928 wrote to memory of 4768	1928	Sun15b61bf18b0f1.exe	88
PID 1928 wrote to memory of 4768	1928	Sun15b61bf18b0f1.exe	88
PID 1928 wrote to memory of 4768	1928	Sun15b61bf18b0f1.exe	88
PID 3192 wrote to memory of 4680	3192	cmd.exe	91
PID 3192 wrote to memory of 4680	3192	cmd.exe	91
PID 3192 wrote to memory of 4680	3192	cmd.exe	91
PID 4432 wrote to memory of 4872	4432	cmd.exe	112
PID 4432 wrote to memory of 4872	4432	cmd.exe	112

pid	Process
5872	schtasks.exe
5356	schtasks.exe

pid	Process
5912	taskkill.exe
1896	taskkill.exe

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads