Analysis Overview
SHA256
d7b9db3f4ed6992d352248122cbc286a32a3555648b33115f6fe8672aa7bc8fe
Threat Level: Likely malicious
The file 2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch was found to be: Likely malicious.
Malicious Activity Summary
Deletes shadow copies
Drops file in Drivers directory
Manipulates Digital Signatures
Drops startup file
Loads dropped DLL
Indicator Removal: Clear Windows Event Logs
Boot or Logon Autostart Execution: Print Processors
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Modifies termsrv.dll
Drops file in System32 directory
Drops autorun.inf file
Sets desktop wallpaper using registry
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 01:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 01:43
Reported
2024-10-18 01:45
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Deletes shadow copies
Drops file in Drivers directory
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wintrust.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\wintrust.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\spool\prtprocs\x64\winprint.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Application.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AAD%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Setup.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Key Management Service.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\HardwareEvents.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-VDRVROOT%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\System.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Biometrics%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Time-Service%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\Fonts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\Downloaded Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\Media\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Theme1\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
Drops file in System32 directory
Modifies termsrv.dll
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\termsrv.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wp2068222868.jpg" | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\el.txt | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square44x44Logo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteFirstRunCarousel_Animation1.mp4 | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\UCRTBASE.DLL | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Threading.Tasks.Extensions.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onresim.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libsdl_image_plugin.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\27.jpg | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\light.gif | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_am.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ONBttnWD.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-72.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\scan_poster.jpg | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-80.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldThrow.snippets.ps1xml | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\wmlaunch.exe | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\SmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmsrv_xl.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\README.txt | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\svgCheckboxSelected.svg | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Sunset.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\kaa.txt | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_elf.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.PasswordManager.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Filter.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-black_scale-100.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc_31bf3856ad364e35_10.0.19041.1266_none_70772af2e7de61d2_profsvc.dll_a428cc3f | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_de-de_2e39fba38cc03f66_webauthn.dll.mui_acc69b8d | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\x86_microsoft-windows-i..2platform.resources_31bf3856ad364e35_11.0.19041.1_uk-ua_6c6234ba4e286635.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-Lxss-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package0215~31bf3856ad364e35~amd64~~10.0.19041.906.mum | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_mchgr.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_85de36266591ac11.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-p..gssystems.resources_31bf3856ad364e35_10.0.19041.1_it-it_9e9d626e42831e97\pegi.rs.mui | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-perfcounters_31bf3856ad364e35_10.0.19041.1_none_00c2ffd3e29a5ade\tslabels.ini | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft-windows-appresolver_31bf3856ad364e35_10.0.19041.264_none_1a2b144a111c9ed8\f\AppResolver.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-m..ponents-jetxbasepdx_31bf3856ad364e35_10.0.19041.450_none_13db2461c744b587\f\msxbde40.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..s-svchost.resources_31bf3856ad364e35_10.0.19041.1_es-es_07055b4146fe1b90.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.19041.1202_none_05cd606e025d0d96.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-u..trolpoint.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e52f0796885f010.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square44x44Logo.targetsize-24_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-Printing-WFS-FoD-Package~31bf3856ad364e35~wow64~~10.0.19041.906.mum | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-RemoteAssistance-Package-Client~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\$$_system32_speech_common_8c297630658eaa3d.cdf-ms | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\reseteng.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-t..essionmsg.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b8e67332b1a06650\sessionmsg.exe.mui | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_networking-mpssvc-ui_31bf3856ad364e35_10.0.19041.746_none_56616dac60d0a46a\FirewallControlPanel.dll.mun | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-d..gement-winproviders_31bf3856ad364e35_10.0.19041.1202_none_cfef4afda1c50630\GenericProvider.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-profapi_31bf3856ad364e35_10.0.19041.1_none_b43a1380d0644b6a.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-rmcast.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_cc5a78f32e2d546c.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-system-user-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_51b111633876cd5d\usermgr.dll.mui | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-label.resources_31bf3856ad364e35_10.0.19041.1_de-de_f3c7f2fb54abac37\label.exe.mui | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.19041.1_en-us_cf40d9de622dc31f\tsdiscon.exe.mui | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-msmpeg2enc.resources_31bf3856ad364e35_10.0.19041.1_es-es_cbccaefe47dfde90\msmpeg2enc.dll.mui | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-WMPNetworkSharingService-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cff7aaf340ea7179.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..definition-security_31bf3856ad364e35_10.0.19041.1_none_d167f7541a7e2afd.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-edp-util.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b8f9387a2e289e02.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-b..core-fonts-chs-boot_31bf3856ad364e35_10.0.19041.1_none_8ad4cb82aed2b7dd\msyhn_boot.ttf | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..rofessional-license_31bf3856ad364e35_10.0.19041.1266_none_f0b32d4cab130f07\r\Professional-Volume-MAK-1-ul-phn-rtm.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Tools-Opt-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-Editions-Professional-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\PLA\Reports\en-US\Report.System.Disk.xml | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\breakpoints.css | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-t..peech-fr-fr-onecore_31bf3856ad364e35_10.0.19041.1_none_926835e1ef93be8b\M1036Nathalie.tdat | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-w..lity-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_dc060427766d0913\csv.xsl | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-p..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-us_eab513f4d6e8b127.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-d..ment-dmiso8601utils_31bf3856ad364e35_10.0.19041.1_none_2d0e21ae214fbb3a.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_wms-chm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_94bb7d2d92dd97e4\WmsManager.CHM | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft-windows-sfc_31bf3856ad364e35_10.0.19041.546_none_8f83b49eef61b1ea\sfc.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-syncsettings.resources_31bf3856ad364e35_10.0.19041.1_en-us_b0d60f940f9f0486.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-iis-corewebengine_31bf3856ad364e35_10.0.19041.906_none_b82340c1bc544e67.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Temp\PendingDeletes\5a5c374536e5d7018e9a00001815341f.infoadmn.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-shell-acccursors_31bf3856ad364e35_10.0.19041.1_none_9a6291031bb04388\beam_i.cur | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\msil_miguicontrols_31bf3856ad364e35_10.0.19041.1_none_081b4a8e239b2852\MIGUIControls.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-EnterpriseClientSync-Host-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\$$_inf_wsearchidxpi_0c0a_2e6e3c70af9fd034.cdf-ms | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_dual_mdmnis2u.inf_31bf3856ad364e35_10.0.19041.1_none_49b4e3851490a524.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-netbios-netapi_31bf3856ad364e35_10.0.19041.1_none_98a4c27b24bcf694.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_10.0.19041.1_et-ee_b200d412aa35ab14\fms.dll.mui | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\GenericCover.png | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-c..egrity-driverpolicy_31bf3856ad364e35_10.0.19041.1_none_6a270ae8836eb4ca.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_netlldpagentwmiprovider.resources_31bf3856ad364e35_10.0.19041.1_it-it_afd28fcfbf7ff908\NetLldpAgentWmiProvider_Uninstall.mfl | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft-windows-e..-unifiedwritefilter_31bf3856ad364e35_10.0.19041.1266_none_1b551d24715cc2ce\r\uwfwmi.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft-windows-quickassist.resources_31bf3856ad364e35_10.0.19041.1_it-it_4f3dfceb6758f834\quickassist.exe.mui | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_1c22a0396404f47d\comctl32.dll.mui | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.es.resx | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-printing-eduprintprov_31bf3856ad364e35_10.0.19041.1_none_67326312c2487423.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_it-it_7c5489238b20e10c.manifest | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-consolelogon-library_31bf3856ad364e35_10.0.19041.264_none_6336533b85d8e590\f\ConsoleLogon.dll | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4092 wrote to memory of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | C:\Windows\system32\vssadmin.exe |
| PID 4092 wrote to memory of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe | C:\Windows\system32\vssadmin.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /for=norealvolume /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | test.s3.us-east-1.amazonaws.com | udp |
| US | 52.217.133.138:443 | test.s3.us-east-1.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.133.217.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.95.9.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Program Files\Java\jdk-1.8\README.txt
| MD5 | 8d0d9af608e122e3e2cd0712d6d33d7e |
| SHA1 | 2563fc07c8e4f074e5bcca7be50e3045f34ff3f0 |
| SHA256 | 0252d98b5e81efbb710488135fc298b2e4f521aa0384e9ce5fb0a604f3e357f5 |
| SHA512 | 90a431f7cdabc8fa12c59783fc7524f316d61ab4ff806dc88093680f4a44ef4fe62337b270a99e03dc5b1f5439a36e2a8472ffb7b7499186d227dc24763d50fc |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll
| MD5 | c1b066f9e3e2f3a6785161a8c7e0346a |
| SHA1 | 8b3b943e79c40bc81fdac1e038a276d034bbe812 |
| SHA256 | 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd |
| SHA512 | 36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll
| MD5 | 1453290db80241683288f33e6dd5e80e |
| SHA1 | 29fb9af50458df43ef40bfc8f0f516d0c0a106fd |
| SHA256 | 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c |
| SHA512 | 4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
| MD5 | c606bd7c9c733dd27f74157c34e51742 |
| SHA1 | aab92689723449fbc3e123fb614dd536a74b74d4 |
| SHA256 | 606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0 |
| SHA512 | 5f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38 |
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL
| MD5 | 7efcf0111eb7a22aec8410d6a427b328 |
| SHA1 | d6828e7c4fb2789da55899e69c6197eaf4017b88 |
| SHA256 | 7a83319f41c626818556e406b5b664aa4c102cb851269e9becbe3041bde4368a |
| SHA512 | c1526e7bfe3c9f5d9ea9ab0f18d555e01f107ec56123ab83b8677ac24da57e206fb02a0148d2ae08ceba6ec4c10f42a46b0093e2324c0d723f09ec1fd4f43d97 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 01:43
Reported
2024-10-18 01:45
Platform
win7-20240903-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe"