Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/02/2024, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
aimsense.exe
Resource
win7-20240221-en
General
-
Target
aimsense.exe
-
Size
148KB
-
MD5
db11d5b13124f9dab72425ce56662a4f
-
SHA1
09b901184f4865437769f0999bd6d9589008c25d
-
SHA256
df43da5e9f003414fb7087d002291d62e509d1f977e1304d647abf8ec241a68f
-
SHA512
71597bd4ae24b1b74904f7a09c0fdac8d082a86e1d0d794f419057bdccf7f3c5dc07f60cc3499aa00cf2b96e181b7f35b33dbf5fa55a755d7e6fc4c766a708f4
-
SSDEEP
3072:3w10kz9kMiNZKVHd64TGyTOdp6KZt+2T4m6DkBcsfdmC:32T9kMiNZ6HgdyTODZ4p0cWd
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1209997264991555594/9lDazTklKzZKzTTEKzGTtk4UXPjIs2Q2Z2D-ej4Esant-MGCP07bpGNI4w65xZpkCXsD
Signatures
-
Detect Umbral payload 10 IoCs
resource yara_rule behavioral1/files/0x000800000001227d-6.dat family_umbral behavioral1/memory/2000-8-0x0000000000C50000-0x0000000000C90000-memory.dmp family_umbral behavioral1/files/0x000800000001227d-18.dat family_umbral behavioral1/memory/1680-30-0x00000000001F0000-0x0000000000230000-memory.dmp family_umbral behavioral1/memory/1784-57-0x0000000000020000-0x0000000000060000-memory.dmp family_umbral behavioral1/memory/1784-59-0x00000000021A0000-0x0000000002220000-memory.dmp family_umbral behavioral1/memory/1664-66-0x000000001ACD0000-0x000000001AD50000-memory.dmp family_umbral behavioral1/memory/2340-77-0x0000000000480000-0x0000000000500000-memory.dmp family_umbral behavioral1/files/0x000800000001227d-245.dat family_umbral behavioral1/files/0x000800000001227d-320.dat family_umbral -
Executes dropped EXE 64 IoCs
pid Process 2000 auth.exe 2540 conhost.exe 2704 auth.exe 1680 WMIADAP.EXE 584 auth.exe 1288 auth.exe 1308 auth.exe 1784 auth.exe 1664 auth.exe 2676 auth.exe 2408 auth.exe 2000 auth.exe 3064 auth.exe 2040 auth.exe 608 auth.exe 1160 auth.exe 848 auth.exe 2072 auth.exe 2752 auth.exe 3016 auth.exe 1120 auth.exe 2128 auth.exe 1908 auth.exe 876 auth.exe 848 auth.exe 1580 auth.exe 1620 auth.exe 2180 auth.exe 2284 auth.exe 396 auth.exe 1148 auth.exe 2732 auth.exe 2080 auth.exe 1628 auth.exe 2372 auth.exe 840 auth.exe 584 auth.exe 2908 auth.exe 1672 auth.exe 2756 auth.exe 2224 auth.exe 1508 auth.exe 2684 auth.exe 1904 auth.exe 436 auth.exe 540 auth.exe 2252 auth.exe 1256 auth.exe 2408 auth.exe 2692 auth.exe 1344 auth.exe 948 auth.exe 3060 auth.exe 2268 auth.exe 1260 auth.exe 920 auth.exe 1256 auth.exe 1772 auth.exe 2616 auth.exe 1828 auth.exe 1288 auth.exe 1936 auth.exe 2356 auth.exe 2660 auth.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2000 auth.exe Token: SeIncreaseQuotaPrivilege 2584 wmic.exe Token: SeSecurityPrivilege 2584 wmic.exe Token: SeTakeOwnershipPrivilege 2584 wmic.exe Token: SeLoadDriverPrivilege 2584 wmic.exe Token: SeSystemProfilePrivilege 2584 wmic.exe Token: SeSystemtimePrivilege 2584 wmic.exe Token: SeProfSingleProcessPrivilege 2584 wmic.exe Token: SeIncBasePriorityPrivilege 2584 wmic.exe Token: SeCreatePagefilePrivilege 2584 wmic.exe Token: SeBackupPrivilege 2584 wmic.exe Token: SeRestorePrivilege 2584 wmic.exe Token: SeShutdownPrivilege 2584 wmic.exe Token: SeDebugPrivilege 2584 wmic.exe Token: SeSystemEnvironmentPrivilege 2584 wmic.exe Token: SeRemoteShutdownPrivilege 2584 wmic.exe Token: SeUndockPrivilege 2584 wmic.exe Token: SeManageVolumePrivilege 2584 wmic.exe Token: 33 2584 wmic.exe Token: 34 2584 wmic.exe Token: 35 2584 wmic.exe Token: SeIncreaseQuotaPrivilege 2584 wmic.exe Token: SeSecurityPrivilege 2584 wmic.exe Token: SeTakeOwnershipPrivilege 2584 wmic.exe Token: SeLoadDriverPrivilege 2584 wmic.exe Token: SeSystemProfilePrivilege 2584 wmic.exe Token: SeSystemtimePrivilege 2584 wmic.exe Token: SeProfSingleProcessPrivilege 2584 wmic.exe Token: SeIncBasePriorityPrivilege 2584 wmic.exe Token: SeCreatePagefilePrivilege 2584 wmic.exe Token: SeBackupPrivilege 2584 wmic.exe Token: SeRestorePrivilege 2584 wmic.exe Token: SeShutdownPrivilege 2584 wmic.exe Token: SeDebugPrivilege 2584 wmic.exe Token: SeSystemEnvironmentPrivilege 2584 wmic.exe Token: SeRemoteShutdownPrivilege 2584 wmic.exe Token: SeUndockPrivilege 2584 wmic.exe Token: SeManageVolumePrivilege 2584 wmic.exe Token: 33 2584 wmic.exe Token: 34 2584 wmic.exe Token: 35 2584 wmic.exe Token: SeDebugPrivilege 2704 auth.exe Token: SeIncreaseQuotaPrivilege 2816 wmic.exe Token: SeSecurityPrivilege 2816 wmic.exe Token: SeTakeOwnershipPrivilege 2816 wmic.exe Token: SeLoadDriverPrivilege 2816 wmic.exe Token: SeSystemProfilePrivilege 2816 wmic.exe Token: SeSystemtimePrivilege 2816 wmic.exe Token: SeProfSingleProcessPrivilege 2816 wmic.exe Token: SeIncBasePriorityPrivilege 2816 wmic.exe Token: SeCreatePagefilePrivilege 2816 wmic.exe Token: SeBackupPrivilege 2816 wmic.exe Token: SeRestorePrivilege 2816 wmic.exe Token: SeShutdownPrivilege 2816 wmic.exe Token: SeDebugPrivilege 2816 wmic.exe Token: SeSystemEnvironmentPrivilege 2816 wmic.exe Token: SeRemoteShutdownPrivilege 2816 wmic.exe Token: SeUndockPrivilege 2816 wmic.exe Token: SeManageVolumePrivilege 2816 wmic.exe Token: 33 2816 wmic.exe Token: 34 2816 wmic.exe Token: 35 2816 wmic.exe Token: SeIncreaseQuotaPrivilege 2816 wmic.exe Token: SeSecurityPrivilege 2816 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2000 1660 aimsense.exe 28 PID 1660 wrote to memory of 2000 1660 aimsense.exe 28 PID 1660 wrote to memory of 2000 1660 aimsense.exe 28 PID 1660 wrote to memory of 2524 1660 aimsense.exe 29 PID 1660 wrote to memory of 2524 1660 aimsense.exe 29 PID 1660 wrote to memory of 2524 1660 aimsense.exe 29 PID 2524 wrote to memory of 2540 2524 aimsense.exe 64 PID 2524 wrote to memory of 2540 2524 aimsense.exe 64 PID 2524 wrote to memory of 2540 2524 aimsense.exe 64 PID 2524 wrote to memory of 2888 2524 aimsense.exe 30 PID 2524 wrote to memory of 2888 2524 aimsense.exe 30 PID 2524 wrote to memory of 2888 2524 aimsense.exe 30 PID 2000 wrote to memory of 2584 2000 auth.exe 32 PID 2000 wrote to memory of 2584 2000 auth.exe 32 PID 2000 wrote to memory of 2584 2000 auth.exe 32 PID 2888 wrote to memory of 2704 2888 aimsense.exe 36 PID 2888 wrote to memory of 2704 2888 aimsense.exe 36 PID 2888 wrote to memory of 2704 2888 aimsense.exe 36 PID 2888 wrote to memory of 1992 2888 aimsense.exe 35 PID 2888 wrote to memory of 1992 2888 aimsense.exe 35 PID 2888 wrote to memory of 1992 2888 aimsense.exe 35 PID 2704 wrote to memory of 2816 2704 auth.exe 38 PID 2704 wrote to memory of 2816 2704 auth.exe 38 PID 2704 wrote to memory of 2816 2704 auth.exe 38 PID 1992 wrote to memory of 1680 1992 aimsense.exe 77 PID 1992 wrote to memory of 1680 1992 aimsense.exe 77 PID 1992 wrote to memory of 1680 1992 aimsense.exe 77 PID 1992 wrote to memory of 2036 1992 aimsense.exe 39 PID 1992 wrote to memory of 2036 1992 aimsense.exe 39 PID 1992 wrote to memory of 2036 1992 aimsense.exe 39 PID 2036 wrote to memory of 584 2036 aimsense.exe 41 PID 2036 wrote to memory of 584 2036 aimsense.exe 41 PID 2036 wrote to memory of 584 2036 aimsense.exe 41 PID 2036 wrote to memory of 1036 2036 aimsense.exe 42 PID 2036 wrote to memory of 1036 2036 aimsense.exe 42 PID 2036 wrote to memory of 1036 2036 aimsense.exe 42 PID 1680 wrote to memory of 2748 1680 WMIADAP.EXE 44 PID 1680 wrote to memory of 2748 1680 WMIADAP.EXE 44 PID 1680 wrote to memory of 2748 1680 WMIADAP.EXE 44 PID 1036 wrote to memory of 1288 1036 aimsense.exe 46 PID 1036 wrote to memory of 1288 1036 aimsense.exe 46 PID 1036 wrote to memory of 1288 1036 aimsense.exe 46 PID 1036 wrote to memory of 2292 1036 aimsense.exe 45 PID 1036 wrote to memory of 2292 1036 aimsense.exe 45 PID 1036 wrote to memory of 2292 1036 aimsense.exe 45 PID 1288 wrote to memory of 3028 1288 auth.exe 48 PID 1288 wrote to memory of 3028 1288 auth.exe 48 PID 1288 wrote to memory of 3028 1288 auth.exe 48 PID 2292 wrote to memory of 1308 2292 aimsense.exe 50 PID 2292 wrote to memory of 1308 2292 aimsense.exe 50 PID 2292 wrote to memory of 1308 2292 aimsense.exe 50 PID 2292 wrote to memory of 1856 2292 aimsense.exe 49 PID 2292 wrote to memory of 1856 2292 aimsense.exe 49 PID 2292 wrote to memory of 1856 2292 aimsense.exe 49 PID 1308 wrote to memory of 112 1308 auth.exe 52 PID 1308 wrote to memory of 112 1308 auth.exe 52 PID 1308 wrote to memory of 112 1308 auth.exe 52 PID 1856 wrote to memory of 1784 1856 aimsense.exe 54 PID 1856 wrote to memory of 1784 1856 aimsense.exe 54 PID 1856 wrote to memory of 1784 1856 aimsense.exe 54 PID 1856 wrote to memory of 976 1856 aimsense.exe 53 PID 1856 wrote to memory of 976 1856 aimsense.exe 53 PID 1856 wrote to memory of 976 1856 aimsense.exe 53 PID 1784 wrote to memory of 2908 1784 auth.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"2⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"6⤵
- Executes dropped EXE
PID:584
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"7⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"8⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"9⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"10⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid11⤵PID:1996
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"10⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"11⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"12⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"13⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"14⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid15⤵PID:1536
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"14⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"15⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid16⤵PID:948
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"15⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"16⤵
- Executes dropped EXE
PID:608 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid17⤵PID:960
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"16⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"17⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid18⤵PID:1396
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"17⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"18⤵
- Executes dropped EXE
PID:848 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid19⤵PID:2724
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"18⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"19⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid20⤵PID:2440
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"19⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"20⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid21⤵PID:2848
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"20⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"21⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid22⤵PID:772
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"21⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"22⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid23⤵PID:2324
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"22⤵PID:584
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"23⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid24⤵PID:2056
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"23⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"24⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid25⤵PID:2844
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"24⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"25⤵
- Executes dropped EXE
PID:876 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid26⤵PID:2912
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"25⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"26⤵
- Executes dropped EXE
PID:848 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid27⤵PID:1700
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"26⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"27⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid28⤵PID:2816
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"27⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"28⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid29⤵PID:580
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"28⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"29⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid30⤵PID:940
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"29⤵PID:524
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"30⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid31⤵PID:2800
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"30⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"31⤵
- Executes dropped EXE
PID:396 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid32⤵PID:1952
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"31⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"32⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid33⤵PID:2892
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"32⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"33⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid34⤵PID:1388
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"33⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"34⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid35⤵PID:1600
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"34⤵PID:284
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"35⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid36⤵PID:2864
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"35⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"36⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid37⤵PID:2704
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"36⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"37⤵
- Executes dropped EXE
PID:840 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid38⤵PID:948
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"37⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"38⤵
- Executes dropped EXE
PID:584 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid39⤵PID:1720
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"38⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"39⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid40⤵PID:2364
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"39⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"40⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid41⤵PID:1148
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"40⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"41⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid42⤵PID:876
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"41⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"42⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid43⤵PID:1972
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"42⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"43⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid44⤵PID:2580
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"43⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"44⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid45⤵PID:2832
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"44⤵PID:588
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"45⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid46⤵PID:1444
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"45⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"46⤵
- Executes dropped EXE
PID:436 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid47⤵PID:3028
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"46⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"47⤵
- Executes dropped EXE
PID:540 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid48⤵PID:1644
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"47⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"48⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid49⤵PID:2872
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"48⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"49⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid50⤵PID:880
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"49⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"50⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid51⤵PID:2884
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"50⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"51⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid52⤵PID:2820
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"51⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"52⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid53⤵PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"52⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"53⤵
- Executes dropped EXE
PID:948 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid54⤵PID:2060
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"53⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"54⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid55⤵PID:1204
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"54⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"55⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid56⤵PID:396
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"55⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"56⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid57⤵PID:1148
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"56⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"57⤵
- Executes dropped EXE
PID:920 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid58⤵PID:1068
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"57⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"58⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid59⤵PID:1868
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"58⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"59⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid60⤵PID:836
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"59⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"60⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid61⤵PID:2628
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"60⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"61⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid62⤵PID:2632
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"61⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"62⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid63⤵PID:3028
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"62⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"63⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid64⤵PID:1940
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"63⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"64⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid65⤵PID:2916
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"64⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"65⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid66⤵PID:1956
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"65⤵PID:904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"12⤵
- Executes dropped EXE
PID:2408
-
-
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"11⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid12⤵PID:2708
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid10⤵PID:2908
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid9⤵PID:112
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid8⤵PID:3028
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"5⤵PID:1680
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid6⤵PID:2748
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"3⤵PID:2540
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1664105182-1864026900147587394390291480-443796101-1125454619-1697734793-1079223864"1⤵
- Executes dropped EXE
PID:2540
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5d5b2a70fc6c314cabba1fdc357ef1698
SHA13ae525c6fe0f8012caa59f15b197d09042a3f374
SHA256185219f79023fa5b229f719d78f8e71830abb2776342c8d4fdfcbe6981ecd5e8
SHA5127e4a9ff033c91496bd2adcf07885880dc17af65c3d3132b94427b3513ac27f51cbff4c1d4e36a6e6bd9397badb7e6c2c0aa1e795e66c30cde71d389d54995a14
-
Filesize
128KB
MD5a2e77ad88e1f938750a73a4f5ccb81dc
SHA1cfb048748c3d00c2542f07aa643464f9ecdc8100
SHA25609d3dd3334953357eba8e15ea731b11b27c691505556c83eb7a69c6fc3775780
SHA512e27efd3f6e88e8ad59808a50837e04276e3a962ce0a57dda9f4cba0da8d2508125bc389f6b15827a1a57000cc92a3a498e1458602ec85acbb77fca214e22c7bc
-
Filesize
231KB
MD54e62bcc861008fccf8017a90c9d9fa17
SHA1267c87bfcfb65a2be5516874b9edf9a76f46409b
SHA25653681696ea3e42e5dadb92a1d0686a36d024aa7fbad9cadbdc02a97331da5a37
SHA512a1e65c6a255bc9f7c962d8cd9fe03e1a1d4564fc0f38b6df4f6664d28e0010a255ab3d956bc7ad4acad5311b079536b16da3c48d76bff93284e8b36de715555b