2b5bce8623468a2e58c6cc817c1556dd1ef69cb184083a2d8d68a1bb78cbc2d2

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe
Size

15.0MB
MD5

31fcfe752d30c3f9cfb212a5f58568a7
SHA1

e1c2fd2db1294153fe1ffcf7fa5d40f96767bad2
SHA256

2b5bce8623468a2e58c6cc817c1556dd1ef69cb184083a2d8d68a1bb78cbc2d2
SHA512

4341b3474fdec168565f45008495c194f310995452c71d7c92aec8427031b3c0e4b9b6d1217be5386d8ce9bc9eccfd862dada7fbb0e625b946a25997e4f355d6
SSDEEP

196608:zvTCF+0B6s7Vq1QpUPZ7ubMgFKcnSJiZKi9m2gB6bIK6w3:3w+M6GVYQpUP0xnS0m2gB6bII

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	discord.com
5	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	348	wmic.exe
Token: SeSecurityPrivilege	348	wmic.exe
Token: SeTakeOwnershipPrivilege	348	wmic.exe
Token: SeLoadDriverPrivilege	348	wmic.exe
Token: SeSystemProfilePrivilege	348	wmic.exe
Token: SeSystemtimePrivilege	348	wmic.exe
Token: SeProfSingleProcessPrivilege	348	wmic.exe
Token: SeIncBasePriorityPrivilege	348	wmic.exe
Token: SeCreatePagefilePrivilege	348	wmic.exe
Token: SeBackupPrivilege	348	wmic.exe
Token: SeRestorePrivilege	348	wmic.exe
Token: SeShutdownPrivilege	348	wmic.exe
Token: SeDebugPrivilege	348	wmic.exe
Token: SeSystemEnvironmentPrivilege	348	wmic.exe
Token: SeRemoteShutdownPrivilege	348	wmic.exe
Token: SeUndockPrivilege	348	wmic.exe
Token: SeManageVolumePrivilege	348	wmic.exe
Token: 33	348	wmic.exe
Token: 34	348	wmic.exe
Token: 35	348	wmic.exe
Token: SeIncreaseQuotaPrivilege	348	wmic.exe
Token: SeSecurityPrivilege	348	wmic.exe
Token: SeTakeOwnershipPrivilege	348	wmic.exe
Token: SeLoadDriverPrivilege	348	wmic.exe
Token: SeSystemProfilePrivilege	348	wmic.exe
Token: SeSystemtimePrivilege	348	wmic.exe
Token: SeProfSingleProcessPrivilege	348	wmic.exe
Token: SeIncBasePriorityPrivilege	348	wmic.exe
Token: SeCreatePagefilePrivilege	348	wmic.exe
Token: SeBackupPrivilege	348	wmic.exe
Token: SeRestorePrivilege	348	wmic.exe
Token: SeShutdownPrivilege	348	wmic.exe
Token: SeDebugPrivilege	348	wmic.exe
Token: SeSystemEnvironmentPrivilege	348	wmic.exe
Token: SeRemoteShutdownPrivilege	348	wmic.exe
Token: SeUndockPrivilege	348	wmic.exe
Token: SeManageVolumePrivilege	348	wmic.exe
Token: 33	348	wmic.exe
Token: 34	348	wmic.exe
Token: 35	348	wmic.exe
Token: SeIncreaseQuotaPrivilege	2072	wmic.exe
Token: SeSecurityPrivilege	2072	wmic.exe
Token: SeTakeOwnershipPrivilege	2072	wmic.exe
Token: SeLoadDriverPrivilege	2072	wmic.exe
Token: SeSystemProfilePrivilege	2072	wmic.exe
Token: SeSystemtimePrivilege	2072	wmic.exe
Token: SeProfSingleProcessPrivilege	2072	wmic.exe
Token: SeIncBasePriorityPrivilege	2072	wmic.exe
Token: SeCreatePagefilePrivilege	2072	wmic.exe
Token: SeBackupPrivilege	2072	wmic.exe
Token: SeRestorePrivilege	2072	wmic.exe
Token: SeShutdownPrivilege	2072	wmic.exe
Token: SeDebugPrivilege	2072	wmic.exe
Token: SeSystemEnvironmentPrivilege	2072	wmic.exe
Token: SeRemoteShutdownPrivilege	2072	wmic.exe
Token: SeUndockPrivilege	2072	wmic.exe
Token: SeManageVolumePrivilege	2072	wmic.exe
Token: 33	2072	wmic.exe
Token: 34	2072	wmic.exe
Token: 35	2072	wmic.exe
Token: SeIncreaseQuotaPrivilege	2072	wmic.exe
Token: SeSecurityPrivilege	2072	wmic.exe
Token: SeTakeOwnershipPrivilege	2072	wmic.exe
Token: SeLoadDriverPrivilege	2072	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 348	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	32
PID 1988 wrote to memory of 348	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	32
PID 1988 wrote to memory of 348	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	32
PID 1988 wrote to memory of 2072	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	34
PID 1988 wrote to memory of 2072	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	34
PID 1988 wrote to memory of 2072	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	34
PID 1988 wrote to memory of 2716	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	35
PID 1988 wrote to memory of 2716	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	35
PID 1988 wrote to memory of 2716	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	35
PID 1988 wrote to memory of 2880	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	36
PID 1988 wrote to memory of 2880	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	36
PID 1988 wrote to memory of 2880	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	36
PID 1988 wrote to memory of 864	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	37
PID 1988 wrote to memory of 864	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	37
PID 1988 wrote to memory of 864	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	37
PID 1988 wrote to memory of 2900	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	38
PID 1988 wrote to memory of 2900	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	38
PID 1988 wrote to memory of 2900	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	38
PID 1988 wrote to memory of 2688	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	39
PID 1988 wrote to memory of 2688	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	39
PID 1988 wrote to memory of 2688	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	39
PID 1988 wrote to memory of 2844	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	40
PID 1988 wrote to memory of 2844	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	40
PID 1988 wrote to memory of 2844	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	40
PID 1988 wrote to memory of 2736	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	41
PID 1988 wrote to memory of 2736	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	41
PID 1988 wrote to memory of 2736	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	41
PID 1988 wrote to memory of 2580	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	42
PID 1988 wrote to memory of 2580	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	42
PID 1988 wrote to memory of 2580	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	42
PID 1988 wrote to memory of 2644	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	43
PID 1988 wrote to memory of 2644	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	43
PID 1988 wrote to memory of 2644	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	43
PID 1988 wrote to memory of 2096	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	44
PID 1988 wrote to memory of 2096	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	44
PID 1988 wrote to memory of 2096	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	44
PID 1988 wrote to memory of 1088	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	45
PID 1988 wrote to memory of 1088	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	45
PID 1988 wrote to memory of 1088	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	45
PID 1988 wrote to memory of 1028	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	46
PID 1988 wrote to memory of 1028	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	46
PID 1988 wrote to memory of 1028	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	46
PID 1988 wrote to memory of 2936	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	47
PID 1988 wrote to memory of 2936	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	47
PID 1988 wrote to memory of 2936	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	47
PID 1988 wrote to memory of 2808	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	48
PID 1988 wrote to memory of 2808	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	48
PID 1988 wrote to memory of 2808	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	48
PID 1988 wrote to memory of 2932	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	49
PID 1988 wrote to memory of 2932	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	49
PID 1988 wrote to memory of 2932	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	49
PID 1988 wrote to memory of 1316	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	50
PID 1988 wrote to memory of 1316	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	50
PID 1988 wrote to memory of 1316	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	50
PID 1988 wrote to memory of 2640	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	51
PID 1988 wrote to memory of 2640	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	51
PID 1988 wrote to memory of 2640	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	51
PID 1988 wrote to memory of 1596	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	52
PID 1988 wrote to memory of 1596	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	52
PID 1988 wrote to memory of 1596	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	52
PID 1988 wrote to memory of 268	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	53
PID 1988 wrote to memory of 268	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	53
PID 1988 wrote to memory of 268	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	53
PID 1988 wrote to memory of 3056	1988	2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe	54

C:\Users\Admin\AppData\Local\Temp\2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_31fcfe752d30c3f9cfb212a5f58568a7_poet-rat_snatch.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:348
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2716
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2880
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:864
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2900
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2688
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2844
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2736
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2580
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2644
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2096
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1088
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1028
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2936
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2808
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2932
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1316
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2640
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1596
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:268
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:3056
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2448
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1852
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2360
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2124
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1784
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:424
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2968
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:944
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1496
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1656
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:900
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1652
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2212
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1508
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2248
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2364
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1304
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2512
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2144
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:996
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2352
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1984
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1576
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:348
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2072
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2716
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2860
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2036
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2956
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2744
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2564
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2636
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2616
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2196
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:848
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2964
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2812
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2916
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2300
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1292
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2256
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:308
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2376
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2284
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1192
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2056
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2092
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1472
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1524
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2548
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:300
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1856
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2040
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2000
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1836
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:580
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2188
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:772
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1048
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2488
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1820
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2220
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1100
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2492
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1964
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1572
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:536
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2680
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2772
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2892
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2720
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2076
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2732
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2148
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab204F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2061.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit