Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe
-
Size
8.3MB
-
MD5
cc3900283ad1f0510359ead309e8debf
-
SHA1
3f01dbc84e7e8e72349076989f1494424a9d1eb5
-
SHA256
d7b9db3f4ed6992d352248122cbc286a32a3555648b33115f6fe8672aa7bc8fe
-
SHA512
3503ac7a0988f52b20639e59f687bd002fac53c301704407b6f4d655b3212f9e041a040f6ebe41d0b53f9dc69381a93b69be4b9349106a8adde42a2e0b46e434
-
SSDEEP
49152:MjFPJxCznE3RyDkyDHCHx0B2ZIvTa3DhwNcg+2gRhzY5Eaa9nllkCTmrg9JWZw10:MxWz8H1ZIvIPgEaa9nTF9kl3
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory 64 IoCs
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription ioc process File opened for modification C:\Windows\System32\drivers\dfsc.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\en-US\tcpip.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\cldflt.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\de-DE\iorate.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\fr-FR\kbdclass.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\fr-FR\sermouse.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\Wdf01000.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\de-DE\usbhub.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\etc\hosts 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\flpydisk.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\ja-JP\pacer.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\de-DE\mssmbios.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\en-US\volmgrx.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\de-DE\vhdmp.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\ja-JP\smbdirect.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\uk-UA\tcpip.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\MbbCx.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\Rtnic64.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\it-IT\bthport.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\UMDF\ja-JP\SensorsCx.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\en-US\Microsoft.Bluetooth.AvrcpTransport.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\fr-FR\iorate.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\it-IT\cmimcext.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\it-IT\srv2.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\lltdio.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\UMDF\fr-FR\idtsec.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\UMDF\it-IT\Microsoft.Bluetooth.Profiles.HidOverGatt.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\en-US\mshidumdf.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\fr-FR\wudfpf.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\es-ES\vhdmp.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\fr-FR\wacompen.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\it-IT\tsusbflt.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\ja-JP\rdbss.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\scmbus.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\UMDF\de-DE\wpdmtpdr.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\de-DE\synth3dvsc.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\es-ES\modem.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\de-DE\mouclass.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\en-US\spaceport.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\fr-FR\parport.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\mvumis.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\UMDF\es-ES\mgtdyn.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\en-US\modem.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\de-DE\serial.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\de-DE\srv2.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\en-US\hidbatt.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\it-IT\refs.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\ja-JP\mshidumdf.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\TsUsbFlt.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\UMDF\es-ES\SensorsHid.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\en-US\USBXHCI.SYS.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\en-US\partmgr.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\en-US\wfplwfs.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\fr-FR\CAD.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\ndis.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\Synth3dVsc.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\cht4vx64.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\kbdclass.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\spaceparser.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\buttonconverter.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\it-IT\tcpip.sys.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\videoprt.sys 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\drivers\UMDF\es-ES\hidscanner.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe -
Manipulates Digital Signatures 4 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\SysWOW64\wintrust.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\wintrust.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe -
Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription ioc process File opened for modification C:\Windows\System32\spool\prtprocs\x64\winprint.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe -
Drops startup file 1 IoCs
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 64 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription ioc process File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Application.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-AAD%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Setup.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Key Management Service.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\HardwareEvents.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-VDRVROOT%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\System.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Biometrics%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Time-Service%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe -
Loads dropped DLL 8 IoCs
Processes:
pid process 3596 3596 3596 3596 3596 3596 3596 3596 -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\Fonts\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\Media\Desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Public\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files (x86)\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription ioc process File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe -
Drops file in System32 directory 64 IoCs
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription ioc process File opened for modification C:\Windows\System32\migwiz\SFLISTW7.dat 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\uk-UA\wercplsupport.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\wbem\en-US\schedprov.mfl 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\migwiz\replacementmanifests\authui-Migration-Win8-Replacement.man 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\wbem\AutoRecover\1364A1ACC2D182FC0E95C7573ADD0308.mof 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\ja-jp\dhcpcore.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\Dism\de-DE\LogProvider.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\nete1g3e.inf_loc 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\es-ES\pshed.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\fr-FR\fidocredprov.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\it-IT\winethc.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\ja-jp\xmlfilter.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-1-ul-store-rtm.xrm-ms 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-EmbeddedExp-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\PerceptionSimulation\es-ES\PerceptionSimulationService.exe.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MsDtc\MsDtc.Types.ps1xml 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\es-ES\Windows.UI.CredDialogController.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\de-DE\DafPrintProvider.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\wbem\AutoRecover\FE7DD380036BD93A59C38786492E170F.mof 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\SysWOW64\de-DE\wimgapi.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-core-profile-l1-1-0.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\SysWOW64\dsregtask.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VSP-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\ff9ab334-e2df-4889-bbdf-1bffce6ec6ae 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\ja-jp\wcncsvc.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\ja-jp\wlanext.exe.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\mfc120jpn.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-UnifiedWriteFilterCSP-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\qca9377_2_0.bin 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\es-ES\socialapis.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\it-IT\DAConn.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\it-IT\sscore.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Optional-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\fr-FR\energy.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\smrvolume.inf_loc 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\it-IT\APHostRes.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\wbem\fr-FR\WdacWmiProv_Uninstall.mfl 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\es-ES\sndvol.exe.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\fr-FR\adsnt.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\SysWOW64\OpenWith.exe 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\SysWOW64\odbccp32.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EditionSpecific-Professional-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\amdsata.inf_amd64_ea60132f1a9a7a62\amdsata.inf 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\de-DE\VaultRoaming.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\DriverStore\en-US\c_firmware.inf_loc 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\dssenh.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\es-ES\ssText3d.scr.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\ja-jp\dssvc.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\SysWOW64\wcmapi.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\ja-jp\photowiz.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\uk-UA\cob-au.rs.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\uk-UA\rasapi32.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\SysWOW64\Windows.Storage.Compression.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\en-US\Clipc.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\en-US\OpenWith.exe.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\es-ES\pcasvc.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\fr-FR\pnppolicy.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\it-IT\Windows.UI.Immersive.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Remotefx-Clientvm-Rdvgwddmdx11-Package~31bf3856ad364e35~amd64~~10.0.19041.928.cat 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\CertPolEng.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\netsstpa.inf_loc 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\fr-FR\shrpubw.exe.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\it-IT\Windows.Internal.Management.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\System32\fr-FR\sdiageng.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe -
Modifies termsrv.dll 1 TTPs 1 IoCs
Commonly used to allow simultaneous RDP sessions.
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription ioc process File opened for modification C:\Windows\System32\termsrv.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wp2068222868.jpg" 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription ioc process File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-150.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-125.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square44x44Logo.scale-200.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteFirstRunCarousel_Animation1.mp4 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-100.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\ui-strings.js 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\UCRTBASE.DLL 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Threading.Tasks.Extensions.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onresim.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsdl_image_plugin.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\27.jpg 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\light.gif 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\resources.pri 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_am.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONBttnWD.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-100_contrast-black.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-72.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\scan_poster.jpg 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\ui-strings.js 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-125.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-100_contrast-black.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-80.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldThrow.snippets.ps1xml 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\SmallTile.scale-200.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmsrv_xl.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\README.txt 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\svgCheckboxSelected.svg 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-unplated_contrast-black.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Sunset.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\ui-strings.js 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_elf.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-400.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.PasswordManager.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Filter.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-black_scale-100.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe -
Drops file in Windows directory 64 IoCs
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc_31bf3856ad364e35_10.0.19041.1266_none_70772af2e7de61d2_profsvc.dll_a428cc3f 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_de-de_2e39fba38cc03f66_webauthn.dll.mui_acc69b8d 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\x86_microsoft-windows-i..2platform.resources_31bf3856ad364e35_11.0.19041.1_uk-ua_6c6234ba4e286635.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Lxss-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package0215~31bf3856ad364e35~amd64~~10.0.19041.906.mum 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_mchgr.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_85de36266591ac11.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..gssystems.resources_31bf3856ad364e35_10.0.19041.1_it-it_9e9d626e42831e97\pegi.rs.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-perfcounters_31bf3856ad364e35_10.0.19041.1_none_00c2ffd3e29a5ade\tslabels.ini 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-appresolver_31bf3856ad364e35_10.0.19041.264_none_1a2b144a111c9ed8\f\AppResolver.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-m..ponents-jetxbasepdx_31bf3856ad364e35_10.0.19041.450_none_13db2461c744b587\f\msxbde40.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..s-svchost.resources_31bf3856ad364e35_10.0.19041.1_es-es_07055b4146fe1b90.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.19041.1202_none_05cd606e025d0d96.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-u..trolpoint.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e52f0796885f010.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square44x44Logo.targetsize-24_altform-unplated_contrast-black.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Printing-WFS-FoD-Package~31bf3856ad364e35~wow64~~10.0.19041.906.mum 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-RemoteAssistance-Package-Client~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\FileMaps\$$_system32_speech_common_8c297630658eaa3d.cdf-ms 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\reseteng.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..essionmsg.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b8e67332b1a06650\sessionmsg.exe.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_networking-mpssvc-ui_31bf3856ad364e35_10.0.19041.746_none_56616dac60d0a46a\FirewallControlPanel.dll.mun 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-d..gement-winproviders_31bf3856ad364e35_10.0.19041.1202_none_cfef4afda1c50630\GenericProvider.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-profapi_31bf3856ad364e35_10.0.19041.1_none_b43a1380d0644b6a.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-rmcast.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_cc5a78f32e2d546c.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-system-user-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_51b111633876cd5d\usermgr.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-label.resources_31bf3856ad364e35_10.0.19041.1_de-de_f3c7f2fb54abac37\label.exe.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.19041.1_en-us_cf40d9de622dc31f\tsdiscon.exe.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-msmpeg2enc.resources_31bf3856ad364e35_10.0.19041.1_es-es_cbccaefe47dfde90\msmpeg2enc.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-WMPNetworkSharingService-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cff7aaf340ea7179.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..definition-security_31bf3856ad364e35_10.0.19041.1_none_d167f7541a7e2afd.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-edp-util.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b8f9387a2e289e02.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..core-fonts-chs-boot_31bf3856ad364e35_10.0.19041.1_none_8ad4cb82aed2b7dd\msyhn_boot.ttf 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..rofessional-license_31bf3856ad364e35_10.0.19041.1266_none_f0b32d4cab130f07\r\Professional-Volume-MAK-1-ul-phn-rtm.xrm-ms 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Tools-Opt-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Editions-Professional-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\PLA\Reports\en-US\Report.System.Disk.xml 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\breakpoints.css 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..peech-fr-fr-onecore_31bf3856ad364e35_10.0.19041.1_none_926835e1ef93be8b\M1036Nathalie.tdat 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..lity-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_dc060427766d0913\csv.xsl 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-p..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-us_eab513f4d6e8b127.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-d..ment-dmiso8601utils_31bf3856ad364e35_10.0.19041.1_none_2d0e21ae214fbb3a.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_wms-chm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_94bb7d2d92dd97e4\WmsManager.CHM 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-sfc_31bf3856ad364e35_10.0.19041.546_none_8f83b49eef61b1ea\sfc.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-syncsettings.resources_31bf3856ad364e35_10.0.19041.1_en-us_b0d60f940f9f0486.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-iis-corewebengine_31bf3856ad364e35_10.0.19041.906_none_b82340c1bc544e67.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\5a5c374536e5d7018e9a00001815341f.infoadmn.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-acccursors_31bf3856ad364e35_10.0.19041.1_none_9a6291031bb04388\beam_i.cur 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\msil_miguicontrols_31bf3856ad364e35_10.0.19041.1_none_081b4a8e239b2852\MIGUIControls.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-EnterpriseClientSync-Host-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\FileMaps\$$_inf_wsearchidxpi_0c0a_2e6e3c70af9fd034.cdf-ms 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_dual_mdmnis2u.inf_31bf3856ad364e35_10.0.19041.1_none_49b4e3851490a524.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-netbios-netapi_31bf3856ad364e35_10.0.19041.1_none_98a4c27b24bcf694.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_10.0.19041.1_et-ee_b200d412aa35ab14\fms.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\GenericCover.png 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-c..egrity-driverpolicy_31bf3856ad364e35_10.0.19041.1_none_6a270ae8836eb4ca.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_netlldpagentwmiprovider.resources_31bf3856ad364e35_10.0.19041.1_it-it_afd28fcfbf7ff908\NetLldpAgentWmiProvider_Uninstall.mfl 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-e..-unifiedwritefilter_31bf3856ad364e35_10.0.19041.1266_none_1b551d24715cc2ce\r\uwfwmi.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-quickassist.resources_31bf3856ad364e35_10.0.19041.1_it-it_4f3dfceb6758f834\quickassist.exe.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_1c22a0396404f47d\comctl32.dll.mui 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.es.resx 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-printing-eduprintprov_31bf3856ad364e35_10.0.19041.1_none_67326312c2487423.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_it-it_7c5489238b20e10c.manifest 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-consolelogon-library_31bf3856ad364e35_10.0.19041.264_none_6336533b85d8e590\f\ConsoleLogon.dll 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2284 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 548 vssvc.exe Token: SeRestorePrivilege 548 vssvc.exe Token: SeAuditPrivilege 548 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exedescription pid process target process PID 4092 wrote to memory of 2284 4092 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe vssadmin.exe PID 4092 wrote to memory of 2284 4092 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops startup file
- Indicator Removal: Clear Windows Event Logs
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies termsrv.dll
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /for=norealvolume /all /quiet2⤵
- Interacts with shadow copies
PID:2284
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:548
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3Clear Windows Event Logs
1File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
363B
MD58d0d9af608e122e3e2cd0712d6d33d7e
SHA12563fc07c8e4f074e5bcca7be50e3045f34ff3f0
SHA2560252d98b5e81efbb710488135fc298b2e4f521aa0384e9ce5fb0a604f3e357f5
SHA51290a431f7cdabc8fa12c59783fc7524f316d61ab4ff806dc88093680f4a44ef4fe62337b270a99e03dc5b1f5439a36e2a8472ffb7b7499186d227dc24763d50fc
-
Filesize
279KB
MD57efcf0111eb7a22aec8410d6a427b328
SHA1d6828e7c4fb2789da55899e69c6197eaf4017b88
SHA2567a83319f41c626818556e406b5b664aa4c102cb851269e9becbe3041bde4368a
SHA512c1526e7bfe3c9f5d9ea9ab0f18d555e01f107ec56123ab83b8677ac24da57e206fb02a0148d2ae08ceba6ec4c10f42a46b0093e2324c0d723f09ec1fd4f43d97
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
Filesize1.7MB
MD5c606bd7c9c733dd27f74157c34e51742
SHA1aab92689723449fbc3e123fb614dd536a74b74d4
SHA256606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0
SHA5125f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll
Filesize613KB
MD5c1b066f9e3e2f3a6785161a8c7e0346a
SHA18b3b943e79c40bc81fdac1e038a276d034bbe812
SHA25699e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
SHA51236f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll
Filesize83KB
MD51453290db80241683288f33e6dd5e80e
SHA129fb9af50458df43ef40bfc8f0f516d0c0a106fd
SHA2562b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
SHA5124ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91