resource	yara_rule
behavioral2/memory/2536-244-0x0000000002E60000-0x000000000377E000-memory.dmp	family_glupteba
behavioral2/memory/2536-245-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2880	rundll32.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	2880	rundll32.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2880	rundll32.exe	71

resource	yara_rule
behavioral2/memory/2268-220-0x000000000041C5CA-mapping.dmp	family_redline
behavioral2/memory/2268-219-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/2268-225-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

resource	yara_rule
behavioral2/files/0x00030000000130d1-148.dat	family_socelars
behavioral2/files/0x00030000000130d1-168.dat	family_socelars
behavioral2/files/0x00030000000130d1-124.dat	family_socelars

resource	yara_rule
behavioral2/files/0x00030000000130ca-76.dat	aspack_v212_v242
behavioral2/files/0x00030000000130ca-77.dat	aspack_v212_v242
behavioral2/files/0x00040000000130c5-78.dat	aspack_v212_v242
behavioral2/files/0x00040000000130c5-79.dat	aspack_v212_v242
behavioral2/files/0x00030000000130cc-82.dat	aspack_v212_v242
behavioral2/files/0x00030000000130cc-83.dat	aspack_v212_v242

pid	Process
1592	setup_installer.exe
1184	setup_install.exe
1640	Thu20c467678e2c.exe
592	Thu20dae7c52bc0856.exe
1788	Thu20a5f7ccaa78.exe
1888	Thu20f2cf5e0c.exe
1220	Thu2026c04e7218e1.exe
1084	Thu203b503b429e68.exe
1960	Thu2094524d5e5b.exe
1692	Thu2025d6674aed72ba.exe
520	Thu2090b5515d63b2.exe
936	Thu2026c04e7218e1.tmp

resource	yara_rule
behavioral2/files/0x00030000000130d8-100.dat	vmprotect
behavioral2/files/0x00030000000130d8-114.dat	vmprotect
behavioral2/memory/592-178-0x0000000140000000-0x0000000140650000-memory.dmp	vmprotect
behavioral2/files/0x00030000000130d8-133.dat	vmprotect

pid	Process
1104	setup_x86_x64_install.exe
1592	setup_installer.exe
1592	setup_installer.exe
1592	setup_installer.exe
1592	setup_installer.exe
1592	setup_installer.exe
1592	setup_installer.exe
1184	setup_install.exe
1184	setup_install.exe
1184	setup_install.exe
1184	setup_install.exe
1184	setup_install.exe
1184	setup_install.exe
1184	setup_install.exe
1184	setup_install.exe
1876	cmd.exe
1460	cmd.exe
1272	cmd.exe
1272	cmd.exe
1704	cmd.exe
1640	Thu20c467678e2c.exe
1640	Thu20c467678e2c.exe
1364	cmd.exe
1788	Thu20a5f7ccaa78.exe
1788	Thu20a5f7ccaa78.exe
268	cmd.exe
1100	cmd.exe
1100	cmd.exe
556	cmd.exe
1220	Thu2026c04e7218e1.exe
1220	Thu2026c04e7218e1.exe
1960	Thu2094524d5e5b.exe
1960	Thu2094524d5e5b.exe
1792	cmd.exe
1220	Thu2026c04e7218e1.exe
936	Thu2026c04e7218e1.tmp
936	Thu2026c04e7218e1.tmp
936	Thu2026c04e7218e1.tmp
1084	Thu203b503b429e68.exe
1084	Thu203b503b429e68.exe

flow	ioc
215	ipinfo.io
12	ip-api.com
35	ipinfo.io
36	ipinfo.io
117	ipinfo.io
171	ipinfo.io
214	ipinfo.io

pid	pid_target	Process	procid_target
2852	1084	WerFault.exe	39
3364	2616	WerFault.exe	68
3488	1716	WerFault.exe	116

pid	Process
3592	schtasks.exe
2556	schtasks.exe
3540	schtasks.exe
3560	schtasks.exe
1456	schtasks.exe
3528	schtasks.exe

pid	Process
2060	timeout.exe
4092	timeout.exe

pid	Process
2632	taskkill.exe
1780	taskkill.exe
668	taskkill.exe

description	pid	Process
Token: SeCreateTokenPrivilege	1084	Thu203b503b429e68.exe
Token: SeAssignPrimaryTokenPrivilege	1084	Thu203b503b429e68.exe
Token: SeLockMemoryPrivilege	1084	Thu203b503b429e68.exe
Token: SeIncreaseQuotaPrivilege	1084	Thu203b503b429e68.exe
Token: SeMachineAccountPrivilege	1084	Thu203b503b429e68.exe
Token: SeTcbPrivilege	1084	Thu203b503b429e68.exe
Token: SeSecurityPrivilege	1084	Thu203b503b429e68.exe
Token: SeTakeOwnershipPrivilege	1084	Thu203b503b429e68.exe
Token: SeLoadDriverPrivilege	1084	Thu203b503b429e68.exe
Token: SeSystemProfilePrivilege	1084	Thu203b503b429e68.exe
Token: SeSystemtimePrivilege	1084	Thu203b503b429e68.exe
Token: SeProfSingleProcessPrivilege	1084	Thu203b503b429e68.exe
Token: SeIncBasePriorityPrivilege	1084	Thu203b503b429e68.exe
Token: SeCreatePagefilePrivilege	1084	Thu203b503b429e68.exe
Token: SeCreatePermanentPrivilege	1084	Thu203b503b429e68.exe
Token: SeBackupPrivilege	1084	Thu203b503b429e68.exe
Token: SeRestorePrivilege	1084	Thu203b503b429e68.exe
Token: SeShutdownPrivilege	1084	Thu203b503b429e68.exe
Token: SeDebugPrivilege	1084	Thu203b503b429e68.exe
Token: SeAuditPrivilege	1084	Thu203b503b429e68.exe
Token: SeSystemEnvironmentPrivilege	1084	Thu203b503b429e68.exe
Token: SeChangeNotifyPrivilege	1084	Thu203b503b429e68.exe
Token: SeRemoteShutdownPrivilege	1084	Thu203b503b429e68.exe
Token: SeUndockPrivilege	1084	Thu203b503b429e68.exe
Token: SeSyncAgentPrivilege	1084	Thu203b503b429e68.exe
Token: SeEnableDelegationPrivilege	1084	Thu203b503b429e68.exe
Token: SeManageVolumePrivilege	1084	Thu203b503b429e68.exe
Token: SeImpersonatePrivilege	1084	Thu203b503b429e68.exe
Token: SeCreateGlobalPrivilege	1084	Thu203b503b429e68.exe
Token: 31	1084	Thu203b503b429e68.exe
Token: 32	1084	Thu203b503b429e68.exe
Token: 33	1084	Thu203b503b429e68.exe
Token: 34	1084	Thu203b503b429e68.exe
Token: 35	1084	Thu203b503b429e68.exe

description	pid	Process	procid_target
PID 1104 wrote to memory of 1592	1104	setup_x86_x64_install.exe	25
PID 1104 wrote to memory of 1592	1104	setup_x86_x64_install.exe	25
PID 1104 wrote to memory of 1592	1104	setup_x86_x64_install.exe	25
PID 1104 wrote to memory of 1592	1104	setup_x86_x64_install.exe	25
PID 1104 wrote to memory of 1592	1104	setup_x86_x64_install.exe	25
PID 1104 wrote to memory of 1592	1104	setup_x86_x64_install.exe	25
PID 1104 wrote to memory of 1592	1104	setup_x86_x64_install.exe	25
PID 1592 wrote to memory of 1184	1592	setup_installer.exe	26
PID 1592 wrote to memory of 1184	1592	setup_installer.exe	26
PID 1592 wrote to memory of 1184	1592	setup_installer.exe	26
PID 1592 wrote to memory of 1184	1592	setup_installer.exe	26
PID 1592 wrote to memory of 1184	1592	setup_installer.exe	26
PID 1592 wrote to memory of 1184	1592	setup_installer.exe	26
PID 1592 wrote to memory of 1184	1592	setup_installer.exe	26
PID 1184 wrote to memory of 1712	1184	setup_install.exe	28
PID 1184 wrote to memory of 1712	1184	setup_install.exe	28
PID 1184 wrote to memory of 1712	1184	setup_install.exe	28
PID 1184 wrote to memory of 1712	1184	setup_install.exe	28
PID 1184 wrote to memory of 1712	1184	setup_install.exe	28
PID 1184 wrote to memory of 1712	1184	setup_install.exe	28
PID 1184 wrote to memory of 1712	1184	setup_install.exe	28
PID 1184 wrote to memory of 1876	1184	setup_install.exe	29
PID 1184 wrote to memory of 1876	1184	setup_install.exe	29
PID 1184 wrote to memory of 1876	1184	setup_install.exe	29
PID 1184 wrote to memory of 1876	1184	setup_install.exe	29
PID 1184 wrote to memory of 1876	1184	setup_install.exe	29
PID 1184 wrote to memory of 1876	1184	setup_install.exe	29
PID 1184 wrote to memory of 1876	1184	setup_install.exe	29
PID 1184 wrote to memory of 1704	1184	setup_install.exe	30
PID 1184 wrote to memory of 1704	1184	setup_install.exe	30
PID 1184 wrote to memory of 1704	1184	setup_install.exe	30
PID 1184 wrote to memory of 1704	1184	setup_install.exe	30
PID 1184 wrote to memory of 1704	1184	setup_install.exe	30
PID 1184 wrote to memory of 1704	1184	setup_install.exe	30
PID 1184 wrote to memory of 1704	1184	setup_install.exe	30
PID 1184 wrote to memory of 1460	1184	setup_install.exe	31
PID 1184 wrote to memory of 1460	1184	setup_install.exe	31
PID 1184 wrote to memory of 1460	1184	setup_install.exe	31
PID 1184 wrote to memory of 1460	1184	setup_install.exe	31
PID 1184 wrote to memory of 1460	1184	setup_install.exe	31
PID 1184 wrote to memory of 1460	1184	setup_install.exe	31
PID 1184 wrote to memory of 1460	1184	setup_install.exe	31
PID 1184 wrote to memory of 1272	1184	setup_install.exe	32
PID 1184 wrote to memory of 1272	1184	setup_install.exe	32
PID 1184 wrote to memory of 1272	1184	setup_install.exe	32
PID 1184 wrote to memory of 1272	1184	setup_install.exe	32
PID 1184 wrote to memory of 1272	1184	setup_install.exe	32
PID 1184 wrote to memory of 1272	1184	setup_install.exe	32
PID 1184 wrote to memory of 1272	1184	setup_install.exe	32
PID 1712 wrote to memory of 1372	1712	cmd.exe	52
PID 1712 wrote to memory of 1372	1712	cmd.exe	52
PID 1712 wrote to memory of 1372	1712	cmd.exe	52
PID 1712 wrote to memory of 1372	1712	cmd.exe	52
PID 1712 wrote to memory of 1372	1712	cmd.exe	52
PID 1712 wrote to memory of 1372	1712	cmd.exe	52
PID 1712 wrote to memory of 1372	1712	cmd.exe	52
PID 1876 wrote to memory of 1640	1876	cmd.exe	51
PID 1876 wrote to memory of 1640	1876	cmd.exe	51
PID 1876 wrote to memory of 1640	1876	cmd.exe	51
PID 1876 wrote to memory of 1640	1876	cmd.exe	51
PID 1876 wrote to memory of 1640	1876	cmd.exe	51
PID 1876 wrote to memory of 1640	1876	cmd.exe	51
PID 1876 wrote to memory of 1640	1876	cmd.exe	51
PID 1184 wrote to memory of 1364	1184	setup_install.exe	33

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads