umbral | df43da5e9f003414fb7087d002291d62e509d1f977e1304d647abf8ec241a68f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
22-02-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aimsense.exe
Size

148KB
MD5

db11d5b13124f9dab72425ce56662a4f
SHA1

09b901184f4865437769f0999bd6d9589008c25d
SHA256

df43da5e9f003414fb7087d002291d62e509d1f977e1304d647abf8ec241a68f
SHA512

71597bd4ae24b1b74904f7a09c0fdac8d082a86e1d0d794f419057bdccf7f3c5dc07f60cc3499aa00cf2b96e181b7f35b33dbf5fa55a755d7e6fc4c766a708f4
SSDEEP

3072:3w10kz9kMiNZKVHd64TGyTOdp6KZt+2T4m6DkBcsfdmC:32T9kMiNZ6HgdyTODZ4p0cWd

Score

10^/10

umbral stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1209997264991555594/9lDazTklKzZKzTTEKzGTtk4UXPjIs2Q2Z2D-ej4Esant-MGCP07bpGNI4w65xZpkCXsD

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000001ab15-6.dat	family_umbral
behavioral1/memory/3584-8-0x000001D166F40000-0x000001D166F80000-memory.dmp	family_umbral
behavioral1/files/0x000800000001ab15-165.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 64 IoCs

pid	Process
3584	auth.exe
1020	auth.exe
3756	auth.exe
1748	auth.exe
4176	auth.exe
5028	auth.exe
4220	auth.exe
3036	auth.exe
4192	auth.exe
3704	auth.exe
4352	auth.exe
3740	auth.exe
4276	auth.exe
4688	auth.exe
4880	auth.exe
1724	auth.exe
408	auth.exe
752	auth.exe
4540	auth.exe
2084	auth.exe
1640	auth.exe
2468	auth.exe
424	auth.exe
2772	auth.exe
4416	auth.exe
4756	auth.exe
2752	auth.exe
4800	auth.exe
2820	auth.exe
2136	auth.exe
824	auth.exe
4300	auth.exe
5028	auth.exe
404	auth.exe
2412	auth.exe
2068	auth.exe
3736	auth.exe
2312	auth.exe
752	auth.exe
1348	auth.exe
4216	auth.exe
3028	auth.exe
68	auth.exe
1080	auth.exe
744	auth.exe
4224	auth.exe
4872	auth.exe
4864	auth.exe
2020	auth.exe
4964	auth.exe
4904	auth.exe
2972	auth.exe
4056	auth.exe
372	auth.exe
4032	auth.exe
2516	auth.exe
1856	auth.exe
4292	auth.exe
3792	auth.exe
2784	auth.exe
3552	auth.exe
4928	auth.exe
5108	auth.exe
2516	auth.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	auth.exe
Token: SeIncreaseQuotaPrivilege	3876	wmic.exe
Token: SeSecurityPrivilege	3876	wmic.exe
Token: SeTakeOwnershipPrivilege	3876	wmic.exe
Token: SeLoadDriverPrivilege	3876	wmic.exe
Token: SeSystemProfilePrivilege	3876	wmic.exe
Token: SeSystemtimePrivilege	3876	wmic.exe
Token: SeProfSingleProcessPrivilege	3876	wmic.exe
Token: SeIncBasePriorityPrivilege	3876	wmic.exe
Token: SeCreatePagefilePrivilege	3876	wmic.exe
Token: SeBackupPrivilege	3876	wmic.exe
Token: SeRestorePrivilege	3876	wmic.exe
Token: SeShutdownPrivilege	3876	wmic.exe
Token: SeDebugPrivilege	3876	wmic.exe
Token: SeSystemEnvironmentPrivilege	3876	wmic.exe
Token: SeRemoteShutdownPrivilege	3876	wmic.exe
Token: SeUndockPrivilege	3876	wmic.exe
Token: SeManageVolumePrivilege	3876	wmic.exe
Token: 33	3876	wmic.exe
Token: 34	3876	wmic.exe
Token: 35	3876	wmic.exe
Token: 36	3876	wmic.exe
Token: SeIncreaseQuotaPrivilege	3876	wmic.exe
Token: SeSecurityPrivilege	3876	wmic.exe
Token: SeTakeOwnershipPrivilege	3876	wmic.exe
Token: SeLoadDriverPrivilege	3876	wmic.exe
Token: SeSystemProfilePrivilege	3876	wmic.exe
Token: SeSystemtimePrivilege	3876	wmic.exe
Token: SeProfSingleProcessPrivilege	3876	wmic.exe
Token: SeIncBasePriorityPrivilege	3876	wmic.exe
Token: SeCreatePagefilePrivilege	3876	wmic.exe
Token: SeBackupPrivilege	3876	wmic.exe
Token: SeRestorePrivilege	3876	wmic.exe
Token: SeShutdownPrivilege	3876	wmic.exe
Token: SeDebugPrivilege	3876	wmic.exe
Token: SeSystemEnvironmentPrivilege	3876	wmic.exe
Token: SeRemoteShutdownPrivilege	3876	wmic.exe
Token: SeUndockPrivilege	3876	wmic.exe
Token: SeManageVolumePrivilege	3876	wmic.exe
Token: 33	3876	wmic.exe
Token: 34	3876	wmic.exe
Token: 35	3876	wmic.exe
Token: 36	3876	wmic.exe
Token: SeDebugPrivilege	1020	auth.exe
Token: SeIncreaseQuotaPrivilege	4632	wmic.exe
Token: SeSecurityPrivilege	4632	wmic.exe
Token: SeTakeOwnershipPrivilege	4632	wmic.exe
Token: SeLoadDriverPrivilege	4632	wmic.exe
Token: SeSystemProfilePrivilege	4632	wmic.exe
Token: SeSystemtimePrivilege	4632	wmic.exe
Token: SeProfSingleProcessPrivilege	4632	wmic.exe
Token: SeIncBasePriorityPrivilege	4632	wmic.exe
Token: SeCreatePagefilePrivilege	4632	wmic.exe
Token: SeBackupPrivilege	4632	wmic.exe
Token: SeRestorePrivilege	4632	wmic.exe
Token: SeShutdownPrivilege	4632	wmic.exe
Token: SeDebugPrivilege	4632	wmic.exe
Token: SeSystemEnvironmentPrivilege	4632	wmic.exe
Token: SeRemoteShutdownPrivilege	4632	wmic.exe
Token: SeUndockPrivilege	4632	wmic.exe
Token: SeManageVolumePrivilege	4632	wmic.exe
Token: 33	4632	wmic.exe
Token: 34	4632	wmic.exe
Token: 35	4632	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 3584	2628	aimsense.exe	73
PID 2628 wrote to memory of 3584	2628	aimsense.exe	73
PID 2628 wrote to memory of 4180	2628	aimsense.exe	74
PID 2628 wrote to memory of 4180	2628	aimsense.exe	74
PID 3584 wrote to memory of 3876	3584	auth.exe	76
PID 3584 wrote to memory of 3876	3584	auth.exe	76
PID 4180 wrote to memory of 1020	4180	aimsense.exe	79
PID 4180 wrote to memory of 1020	4180	aimsense.exe	79
PID 4180 wrote to memory of 1976	4180	aimsense.exe	78
PID 4180 wrote to memory of 1976	4180	aimsense.exe	78
PID 1020 wrote to memory of 4632	1020	auth.exe	81
PID 1020 wrote to memory of 4632	1020	auth.exe	81
PID 1976 wrote to memory of 3756	1976	aimsense.exe	82
PID 1976 wrote to memory of 3756	1976	aimsense.exe	82
PID 1976 wrote to memory of 4224	1976	aimsense.exe	83
PID 1976 wrote to memory of 4224	1976	aimsense.exe	83
PID 3756 wrote to memory of 5048	3756	auth.exe	85
PID 3756 wrote to memory of 5048	3756	auth.exe	85
PID 4224 wrote to memory of 1748	4224	aimsense.exe	87
PID 4224 wrote to memory of 1748	4224	aimsense.exe	87
PID 4224 wrote to memory of 1644	4224	aimsense.exe	86
PID 4224 wrote to memory of 1644	4224	aimsense.exe	86
PID 1748 wrote to memory of 4616	1748	auth.exe	89
PID 1748 wrote to memory of 4616	1748	auth.exe	89
PID 1644 wrote to memory of 4176	1644	aimsense.exe	91
PID 1644 wrote to memory of 4176	1644	aimsense.exe	91
PID 1644 wrote to memory of 2024	1644	aimsense.exe	90
PID 1644 wrote to memory of 2024	1644	aimsense.exe	90
PID 4176 wrote to memory of 2216	4176	auth.exe	92
PID 4176 wrote to memory of 2216	4176	auth.exe	92
PID 2024 wrote to memory of 5028	2024	aimsense.exe	94
PID 2024 wrote to memory of 5028	2024	aimsense.exe	94
PID 2024 wrote to memory of 928	2024	aimsense.exe	95
PID 2024 wrote to memory of 928	2024	aimsense.exe	95
PID 5028 wrote to memory of 3908	5028	auth.exe	96
PID 5028 wrote to memory of 3908	5028	auth.exe	96
PID 928 wrote to memory of 4220	928	aimsense.exe	98
PID 928 wrote to memory of 4220	928	aimsense.exe	98
PID 928 wrote to memory of 2576	928	aimsense.exe	99
PID 928 wrote to memory of 2576	928	aimsense.exe	99
PID 4220 wrote to memory of 1884	4220	auth.exe	100
PID 4220 wrote to memory of 1884	4220	auth.exe	100
PID 2576 wrote to memory of 3036	2576	aimsense.exe	102
PID 2576 wrote to memory of 3036	2576	aimsense.exe	102
PID 2576 wrote to memory of 596	2576	aimsense.exe	103
PID 2576 wrote to memory of 596	2576	aimsense.exe	103
PID 3036 wrote to memory of 3840	3036	auth.exe	104
PID 3036 wrote to memory of 3840	3036	auth.exe	104
PID 596 wrote to memory of 4192	596	aimsense.exe	106
PID 596 wrote to memory of 4192	596	aimsense.exe	106
PID 596 wrote to memory of 520	596	aimsense.exe	107
PID 596 wrote to memory of 520	596	aimsense.exe	107
PID 4192 wrote to memory of 1856	4192	auth.exe	108
PID 4192 wrote to memory of 1856	4192	auth.exe	108
PID 520 wrote to memory of 3704	520	aimsense.exe	110
PID 520 wrote to memory of 3704	520	aimsense.exe	110
PID 520 wrote to memory of 2312	520	aimsense.exe	111
PID 520 wrote to memory of 2312	520	aimsense.exe	111
PID 3704 wrote to memory of 4900	3704	auth.exe	112
PID 3704 wrote to memory of 4900	3704	auth.exe	112
PID 2312 wrote to memory of 4352	2312	aimsense.exe	114
PID 2312 wrote to memory of 4352	2312	aimsense.exe	114
PID 2312 wrote to memory of 4236	2312	aimsense.exe	115
PID 2312 wrote to memory of 4236	2312	aimsense.exe	115

C:\Users\Admin\AppData\Local\Temp\aimsense.exe
"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\auth.exe
  "C:\Users\Admin\AppData\Local\Temp\auth.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3876
- C:\Users\Admin\AppData\Local\Temp\aimsense.exe
  "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\aimsense.exe
    "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\auth.exe
      "C:\Users\Admin\AppData\Local\Temp\auth.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\aimsense.exe
      "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        12⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        12⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        13⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        13⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        14⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        14⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        15⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        15⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        16⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        16⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        17⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        17⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        18⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        18⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        19⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        19⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        20⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        20⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        21⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        21⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        22⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        22⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        23⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        23⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        24⤵
        Executes dropped EXE
        
        PID:424
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        24⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        25⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        25⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        26⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        27⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        26⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        27⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        27⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        28⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        28⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        29⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        29⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        30⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        31⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        31⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        32⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        32⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        33⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        34⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        33⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        34⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        34⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        35⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        35⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        36⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        36⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        37⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        37⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        38⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        38⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        39⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        39⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        40⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        40⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        41⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        42⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        41⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        42⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        42⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        43⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        43⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        44⤵
        Executes dropped EXE
        
        PID:68
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        44⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        45⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        46⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        45⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        46⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        47⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        46⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        47⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        47⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        48⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        49⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        48⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        49⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        49⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        50⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        50⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        51⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        52⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        51⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        52⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        53⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        54⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        53⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        54⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        54⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        55⤵
        Executes dropped EXE
        
        PID:372
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        55⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        56⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        57⤵
        
        PID:196
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        56⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        57⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        57⤵
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        58⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        59⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        58⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        59⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        60⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        59⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        60⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        61⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        60⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        61⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        62⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        61⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        62⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        63⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        62⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        63⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        64⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        63⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        64⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        65⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        64⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        65⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        65⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        66⤵
        
        PID:392
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        67⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        66⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        67⤵
        
        PID:4408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        68⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        67⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        68⤵
        
        PID:1588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        69⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        68⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        69⤵
        
        PID:4572
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        70⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\aimsense.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimsense.exe"
        69⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        52⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        53⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        30⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        31⤵
        
        PID:2860
      - C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:2216
    - - C:\Users\Admin\AppData\Local\Temp\auth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\auth.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:4616
- - C:\Users\Admin\AppData\Local\Temp\auth.exe
    "C:\Users\Admin\AppData\Local\Temp\auth.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\aimsense.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\auth.exe.log

Filesize
1KB

MD5
53ea0a2251276ba7ae39b07e6116d841

SHA1
5f591af152d71b2f04dfc3353a1c96fd4153117d

SHA256
3f7b0412c182cbdefb3eedafe30233d209d734b1087234ac15409636006b3302

SHA512
cf63abfe61389f241755eef4b8ed0f41701568b79d1263e885f8989ce3eca6bf9f8d5805b4cc7304aaaa5c7e14122b0d15bd9948e47108107bbb7219fd498306

Download Submit
C:\Users\Admin\AppData\Local\Temp\auth.exe

Filesize
65KB

MD5
4b41ad6c0f7ed4d17329583e333d5f7a

SHA1
7ac6108419126f29110e9a908233274dd63c5a91

SHA256
71801b88c8ab264085bf6d61beb4181b3b49a679f17ab3925cf333ce39f81e21

SHA512
293671c7ddcddc3331086f1d445e53264b397715989be06bbcb145e9986efd940e8e94c022689b41e2e24d7bf9fed88aae3492db9120c0e4e6c4a8b832d69940

Download Submit
C:\Users\Admin\AppData\Local\Temp\auth.exe

Filesize
231KB

MD5
4e62bcc861008fccf8017a90c9d9fa17

SHA1
267c87bfcfb65a2be5516874b9edf9a76f46409b

SHA256
53681696ea3e42e5dadb92a1d0686a36d024aa7fbad9cadbdc02a97331da5a37

SHA512
a1e65c6a255bc9f7c962d8cd9fe03e1a1d4564fc0f38b6df4f6664d28e0010a255ab3d956bc7ad4acad5311b079536b16da3c48d76bff93284e8b36de715555b

Download Submit
memory/520-102-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/520-112-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/520-106-0x000000001B300000-0x000000001B310000-memory.dmp

Filesize
64KB

Download
memory/596-95-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

Filesize
64KB

Download
memory/596-92-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/596-101-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/928-79-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/928-74-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/928-70-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/1020-27-0x00000231B5790000-0x00000231B57A0000-memory.dmp

Filesize
64KB

Download
memory/1020-25-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/1020-28-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/1644-52-0x000000001BAB0000-0x000000001BAC0000-memory.dmp

Filesize
64KB

Download
memory/1644-49-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/1644-58-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/1748-48-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/1748-50-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/1748-46-0x000002812CF20000-0x000002812CF30000-memory.dmp

Filesize
64KB

Download
memory/1976-26-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-30-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/1976-35-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-62-0x000000001B500000-0x000000001B510000-memory.dmp

Filesize
64KB

Download
memory/2024-59-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-68-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/2312-117-0x000000001B730000-0x000000001B740000-memory.dmp

Filesize
64KB

Download
memory/2312-113-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-81-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-85-0x000000001B700000-0x000000001B710000-memory.dmp

Filesize
64KB

Download
memory/2576-90-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-11-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-3-0x000000001B030000-0x000000001B040000-memory.dmp

Filesize
64KB

Download
memory/2628-1-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-0-0x0000000000300000-0x000000000032C000-memory.dmp

Filesize
176KB

Download
memory/3036-91-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-93-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/3584-15-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/3584-8-0x000001D166F40000-0x000001D166F80000-memory.dmp

Filesize
256KB

Download
memory/3584-10-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/3584-13-0x000001D169510000-0x000001D169520000-memory.dmp

Filesize
64KB

Download
memory/3704-115-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/3704-114-0x000001A272160000-0x000001A272170000-memory.dmp

Filesize
64KB

Download
memory/3704-111-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/3756-39-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/3756-36-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/3756-38-0x00000192D62D0000-0x00000192D62E0000-memory.dmp

Filesize
64KB

Download
memory/4176-57-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/4176-60-0x000001C3DEB80000-0x000001C3DEB90000-memory.dmp

Filesize
64KB

Download
memory/4176-61-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/4180-17-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4180-12-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/4180-24-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/4192-104-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/4192-103-0x00000283E3370000-0x00000283E3380000-memory.dmp

Filesize
64KB

Download
memory/4192-100-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/4220-83-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/4220-82-0x00000210D6630000-0x00000210D6640000-memory.dmp

Filesize
64KB

Download
memory/4220-80-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/4224-37-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/4224-47-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/4224-41-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download
memory/4352-122-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/5028-71-0x0000021DF4870000-0x0000021DF4880000-memory.dmp

Filesize
64KB

Download
memory/5028-69-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download
memory/5028-72-0x00007FFD3AD70000-0x00007FFD3B75C000-memory.dmp

Filesize
9.9MB

Download