adwind | 32bcbaad1e453a6a32bcbb90178b7b75168c43287e51954962ed2e2c565133a1

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zelo-Client.exe
Size

647KB
MD5

6a8c1f741fa6b769273261f408a4dc31
SHA1

fb9c298f981965d2af6b0616a87f3c2c03596311
SHA256

32bcbaad1e453a6a32bcbb90178b7b75168c43287e51954962ed2e2c565133a1
SHA512

306c7447e4e8cc7b6fa5830bfb1ef1a58dfd523fb89dc739e68bd453c6f8163631d35b5accd1717dcd18d7bc1187d69f5b67bf357325ba48c44c11db26f9bfb5
SSDEEP

12288:Rwhg3NJmAtot9EJy80QYw2U1u6/RdQ7Zzf9STRu0FdShOcymSesf:Ohg5obEc80QR2UbJM9STFfLcymS

Score

10^/10

adwind defense_evasion discovery persistence trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind4

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Zelo-Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1729465692861.tmp"	reg.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Zelo-Client.jar	Zelo-Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3652	cmd.exe
2396	PING.EXE

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Zelo-Client.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2396	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
940	WINWORD.EXE
940	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4736	powershell.exe
4736	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	1148	firefox.exe
Token: SeDebugPrivilege	1148	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2408	javaw.exe
940	WINWORD.EXE
940	WINWORD.EXE
940	WINWORD.EXE
940	WINWORD.EXE
940	WINWORD.EXE
940	WINWORD.EXE
940	WINWORD.EXE
1148	firefox.exe
2408	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 4736	3776	Zelo-Client.exe	85
PID 3776 wrote to memory of 4736	3776	Zelo-Client.exe	85
PID 3776 wrote to memory of 2408	3776	Zelo-Client.exe	87
PID 3776 wrote to memory of 2408	3776	Zelo-Client.exe	87
PID 2408 wrote to memory of 3812	2408	javaw.exe	90
PID 2408 wrote to memory of 3812	2408	javaw.exe	90
PID 2408 wrote to memory of 4888	2408	javaw.exe	92
PID 2408 wrote to memory of 4888	2408	javaw.exe	92
PID 4888 wrote to memory of 3652	4888	cmd.exe	94
PID 4888 wrote to memory of 3652	4888	cmd.exe	94
PID 116 wrote to memory of 1148	116	firefox.exe	110
PID 116 wrote to memory of 1148	116	firefox.exe	110
PID 116 wrote to memory of 1148	116	firefox.exe	110
PID 116 wrote to memory of 1148	116	firefox.exe	110
PID 116 wrote to memory of 1148	116	firefox.exe	110
PID 116 wrote to memory of 1148	116	firefox.exe	110
PID 116 wrote to memory of 1148	116	firefox.exe	110
PID 116 wrote to memory of 1148	116	firefox.exe	110
PID 116 wrote to memory of 1148	116	firefox.exe	110
PID 116 wrote to memory of 1148	116	firefox.exe	110
PID 116 wrote to memory of 1148	116	firefox.exe	110
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111
PID 1148 wrote to memory of 4704	1148	firefox.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3812	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Zelo-Client.exe
"C:\Users\Admin\AppData\Local\Temp\Zelo-Client.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdQB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAeAB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAaABtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAeABoACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Windows\Zelo-Client.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1729465692861.tmp
    3⤵
    - Views/modifies file attributes
    PID:3812
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1729465692861.tmp" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1729465692861.tmp" /f
      4⤵
      Adds Run key to start application
      PID:3652
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f"
    3⤵
    PID:4884
  - - C:\Windows\system32\reg.exe
      REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f
      4⤵
      PID:3764
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c ping localhost -n 6 > nul && del C:\Windows\Zelo-Client.jar
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3652
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 6
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2396

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UpdateWrite.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:116
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {878fb658-6434-4349-8d0e-4963331e7d91} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" gpu
    3⤵
    PID:4704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0187e95e-84ae-43a7-9244-10db562cbc49} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" socket
    3⤵
    PID:3024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3412 -childID 1 -isForBrowser -prefsHandle 3404 -prefMapHandle 3400 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eecf47d8-8f8a-487c-8352-def53e70320d} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" tab
    3⤵
    PID:2520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3352 -childID 2 -isForBrowser -prefsHandle 3772 -prefMapHandle 3768 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24b7aa3c-fddb-4286-b45e-c0f67eb8cf39} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" tab
    3⤵
    PID:940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4372 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4272 -prefMapHandle 4296 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1275786-a508-4759-b8b6-6c9ce51d7427} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" utility
    3⤵
    - Checks processor information in registry
    PID:5420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5200 -childID 3 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e01219c6-f814-48f6-9322-d55c4154fc91} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" tab
    3⤵
    PID:5992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5148 -childID 4 -isForBrowser -prefsHandle 5340 -prefMapHandle 5344 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f337db2e-28a6-4309-8244-7a916acde4a1} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" tab
    3⤵
    PID:6004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 5 -isForBrowser -prefsHandle 5524 -prefMapHandle 5532 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bde54812-ce4b-47b9-934c-8e79742fbad1} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" tab
    3⤵
    PID:6016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
143866f4f7845c54acbfa1921be05864

SHA1
4d98e63bfdd24668c19a55b5ab6fcef749298bfa

SHA256
7b8b532084f0ff094835816850955c0e5d5910505969ce001211a3605d688a56

SHA512
1d9e3f04dec2f67a15e6cafa352e212d5b49bd666ba1d1fc06768dde1c2eb8f7bc8f026aadde01aa0f553d2bd38d1336a847b414085bb710f85cc5b11c4d30db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lbqnv1zv.iwa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1186733714693449100.tmp

Filesize
9KB

MD5
2d391bd4a105ff0ef9153f5fb615b8f3

SHA1
430d2fe084142f5d9d6c98586fa16ee5b419d73e

SHA256
135e903dde26983b683006befe464eff8a50d7a91e70d4d963a3aa8ed1f3e4b6

SHA512
e527703b212f0f0e597dba5d100965e6179996333e75fd0e5d32a98289772c35f9c6e19fc93505d61f454a6a97f133ed0af5a057a84948ee3e5aeb269b3f320a

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio210818753414784267.tmp

Filesize
14KB

MD5
480be4809699f67110856e5e0da7eccb

SHA1
d37a7d6004bb3e5aa16595e8dbf456263a989d61

SHA256
f82e74633b90c1d5c49bff66dfcd8a1c1e7532e4ab52ccbc041a8ebb8a145c78

SHA512
b87523d713c83454a0a1ef9965496989810432ae95e4b4849e68e7bf4aebe2e7f30b2d7f62768be9ac4c06ea24b8c095ab83d51f40edb9ae1a94c60ae9ffd276

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio2670396360341441428.tmp

Filesize
14KB

MD5
3e3dfd377cacf99e83f64b2f00aacfaf

SHA1
589aecb5676598b9f7595f0ab1f18960df0ad0cc

SHA256
eeb3ff3f14687543a622fd086a968273d8c5c387a2356c3d16012e5ef1d76028

SHA512
bafaf5e634f3c9fe20f378c032ae20c75c5ad42cbc5201620b48a408013a302f78ec02acfd264a57268d065d66a8c1656f8add8e2250a68753b3a661c02a4986

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio2882832471964929482.tmp

Filesize
16KB

MD5
aa5002e69c945d7049f7158b44c6a412

SHA1
8176b0cc14a4f9bf4f6d27b296c94bc4db862d7c

SHA256
090616551fa45cd7a2081b29b776653e3dd697b58179092293c1c72a45e739c7

SHA512
941ccd60db052352b7fa5584f01ce22d330c902d66dd5259db61ba8073a631f8eecd76797607e7ad27c6b13ac1848e7fce46e38f17deff34929eee53f5f01450

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio298380499380440368.tmp

Filesize
9KB

MD5
181353f0066758b9ea3c69e096e7d526

SHA1
30c03da3a3eba64d2e00a1f00bc597926ee6e1aa

SHA256
d08051338ae5cc24b188cd7522521dcd87a0dc17dca266e5d9997a31d6c86564

SHA512
4bd31815a712ea14d59256cf26f917ee04e50502b7c6ff59c0cdb01b6c2918ce004d813af80e32bb9711d393f9292d0f99a0b2b4c0bf73ba46ff435766ebc404

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio4533396008575023745.tmp

Filesize
43KB

MD5
502c2795758b5439cf494761c5560370

SHA1
48c4afed5e1a2e9c4cc42edf89c0b68d14f2c515

SHA256
0e569c8744fe1b4a28ea0dd9dd01d9ed7396d1cc29a3dd25dff3a04c2b3cc726

SHA512
85dd0ca711042bc3358ada24f87f03ae6c02bab527761dde6529d7fe8b86e042d5dd4d52b6d8b4fdaddcffc2f6ee8b50b42649a35f6086620b12b34ae569df16

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio4946309139110937455.tmp

Filesize
9KB

MD5
c7b87840d6d0ab22f0357840551fcc59

SHA1
d0e1e180ee3f1ddcf243edb2b2d144cdc14ca9f8

SHA256
beff38c04c757059a6c08029c86a73b2e8c121838d369579b712bccd5fe2a28e

SHA512
2963681c4d6c40639c02ae3c4e488c344e3d6667706e0663be6993d0bbc4a60e20ff97d62f0ab580ac8705e5752394dc3c04dda6cd3176398a20597ba6fa744b

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5335435203236095674.tmp

Filesize
14KB

MD5
3b9da0e1351380e837841033bf158ef8

SHA1
fbf84bd812dabd62fa5940f54e997ac8fcad1447

SHA256
ab73f01ab12cc2bbd74f905eff5f4edf1973ddb7c398487e47ea1501e189bb47

SHA512
0cf177e3c488a462a96c227e79231b912a9b29558371b01d4bbf3bc4c8b0d250681acc031e34f3bc635fdbbad18b74dc5349f60c5b5b7041fd5eb64ebdf8f9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5452838327781108567.tmp

Filesize
42KB

MD5
65d55c43f9de76bd1dae9c7d4b244fda

SHA1
2af69566d101f5a1536974e340a7b47b23486c14

SHA256
24a46f11c406d9f0a68341f4eea37328cca7d07ca1d23fbb896531405c1eda08

SHA512
1e888ff251fe5fa477d7df79794bd11c40939776cfcc6b716a3e6e16e18edc267578cbea0702019e1dfcd0ab58a8a9d93b6123275e153fbf71221a6e057b0545

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5557970923245684061.tmp

Filesize
16KB

MD5
eb45ea73f4a060429996bda4c49ec87f

SHA1
44aefc8984fc3bd8461a42715cf09887b4d0632b

SHA256
7b3f8bc263feff22c1c4e88b951eea85273b9ef8f776642ddbeee8d312f38832

SHA512
b0f0738a461ff8ceafc4ef94e6f222e14a554fc8619e3b6d3efe491f3b51e2c79dfd2dea6e35f2e123d71af351c89489841ad3d8f7b1632f9f1cf33212c4f84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5818016637744978393.tmp

Filesize
43KB

MD5
074376755dd08fc489f47f76ab04ae7b

SHA1
2ab3c61aa911fe28ab44823e13ca6e54350eb2e9

SHA256
7c66a591ad0e2f9e72e43fdc76b4afcf6d89cbf91999ba01b0a2f3ba311614d8

SHA512
e68a9d3c75b7e1ee49527e967b3509c418ed50fc6b4590965a6e230969d1e51f81737062a592b2ecc4d4360663c7a30fb66c219d83eedb0303e218ec3960709b

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio6565057062258417762.tmp

Filesize
42KB

MD5
52ca98aac2d0ff589a2b8469bcd29d57

SHA1
a5d62cc2dbe5eea1ee41674a580ee90ad35bf335

SHA256
dfbad4e5d6202fe09ea522803482e7d41277f4846f7262b715073f46403e3001

SHA512
d3e0d0ce9b8396d351a332bd73ece998be03b41094815f31982c0b82c862d3e1952e7cd1d45cecab4ccd6279ebc806cf9a669a2938ba2dc5b70c61872d3de501

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio7682626781628393436.tmp

Filesize
14KB

MD5
5e7400ba0fc600d4758974a248952f7a

SHA1
6656a44aa64ec0997282813501894be744d2bfa6

SHA256
e4df8591b50ef1967e329b7d892d8d2d75f721c51766701683b0232366a5167d

SHA512
40eb1c6cd7d987284710d253d2833997d308156195a6e25ef553b6d95d52304caa4eb634681459cf41d8ae080ec85dd40f702ce1416b6923ba9a65ee738b27f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8026057609957953947.tmp

Filesize
14KB

MD5
dfee4bad9e4a495703e636f44453fe39

SHA1
8ccc48218c542bc4689b74f54e784177dba13d6f

SHA256
404fc28a887d3d836787b6af6a8b641b35b6954602aede16e466cfd6924106a9

SHA512
4d05d21902e387ee96e030c50b0e66ce7e20fd940338a6ced2fb3313bd76697ebad02964d5a278529aec58197939bc4ec7f461e0ec8c54fe6e1b46d010a3eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8713353547877380626.tmp

Filesize
14KB

MD5
a8a1a0b80b4df57b0e5e48189110e13b

SHA1
ae6686ebc016e7ce0d18c343af3b87e778961324

SHA256
ad88c5779880eb01bece6ead0b801af0b5664f0d4319aa3dbceec3ed7ceb6f7a

SHA512
dd997aa72fd0ab334d927fc7c50b06a3d3a5df2776aa96c2a7aea0b12801bcd695980bf087f8a81339bfd48eee3efa297183971ab02b4d563ca0bba201b330bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8761541081258765497.tmp

Filesize
14KB

MD5
d03e2d4e1b6925d8846e86f9901454b4

SHA1
f65c7225e262da2f1c639be84ebb0b4a3022c747

SHA256
f5f46da2ab2faf737c776ac79dca50cf1c68332fdf523ba4ee5401ef18165f77

SHA512
0639a3aa8325645fd6e7ec53604fa7ddd4024c408c0b9c4a413cb2302c4fd717611fcfb38143776b08778a2187dc77516f9406c14178cd1239204c9c22fd4076

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8939536638307156265.tmp

Filesize
41KB

MD5
f70502379a751ae1ea1f04e63f166335

SHA1
62e335340ae6cb96405951a7ab90cdef6bb079b8

SHA256
35cf175f892f01ee667aa2442c1c28c0f7d5543e18604b6f3847375943580f12

SHA512
95b20147670e820267a3c6fefee7f8a22065f361dbebd6c98019aac5e137658ae292244d183d85fa2bd131d736377534a7a369a61dc775c3356a03ef3a0d0443

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio900388795715885102.tmp

Filesize
43KB

MD5
e92a474089c94ff361549df9ab29c026

SHA1
f966f4779ee59a5c7493f4dfc22c0c94753a0c25

SHA256
731423d81fb504576353d59bbb0211f9f709ff01f154f276329c61d37b95cf3f

SHA512
e2ca68d36a2850089a86edee25b0095ff43cd8ad41f2d01a06ae5a77f8b34a0146c4b04fca452d5d5d08e03dc2108f6dea769e2217baff55eff10288ce64ebde

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio951727567579265067.tmp

Filesize
14KB

MD5
82236b63a325fed57ecc6114f947b9e4

SHA1
297ba58bf1999933c65efb6ff28532a48ace4c08

SHA256
ba56f5057d7a1d5a573ee2bd21f04d6dcbbe3e39e5b1215c947b0f76c1f5287f

SHA512
beccbc3d64e3c315c76943b8e354e37e5d6609a1a113eca875fde2b48985e4adb3c9facfd14e5097b28d341236a2f1ed278ad502cfa76b26cc8bc3e0a5f96d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
8KB

MD5
d1836a55387b527f16245084fd483e9c

SHA1
1dfcd85ccea294148e82d77b485ae592a8430c40

SHA256
a23ddc27f1ee0657e1e318a737ee1b6f72ced07269e1e7efb57d2fe0792db55b

SHA512
c347bde00dad032f0c1e5c04b5a8ec35e8f0732dc64b189c1530c28932a0ecff3f903bb44cb7a6ec499064b069c520b39d1bbdeaca08065d87ed29b40d7715c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d8782bd7c7cbc1b67e743163e19c8f4b

SHA1
5232c7f2a60b18a21f5e0dde031cb5cf3b7344e3

SHA256
bdf2196c6654722325fabff0c411d91abd32556696659f776784b447791cb28e

SHA512
20bcf8df0764aa8a26dbf428463e48a58b19cb50ea49a8d64882100d7dfc6aa6e33a6882cc44e44a26da591ae060f8bd93b5416bf13e0ba89db41108f66db67c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\794ee108-1f22-489b-b5b0-93a47670b75f

Filesize
25KB

MD5
b1fc89c8c2ce03be7deb58a99ab55d01

SHA1
02d0a3f0047c66f8dfb5b6082d9403693cd55a60

SHA256
f32bae3597568c17994fc842bad392a6a5c73401814cf704875572f0295dd357

SHA512
ed9a6bfe70a48abdde8a0c40e60a41e1d9ffff74181ab1e918bd73c4e382021ea750de6435bae3599039bf4002ada495ee946519e12183393094531858b67160

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\9e3ab151-2ff9-4cb8-95cf-703668bef8fe

Filesize
671B

MD5
289c5e3e3b78cf1ed98f6390cd1b56f1

SHA1
aac5a96d94ff21be3232ebc00ea8c6c14d387c1e

SHA256
8a7bdf8a68531cce2f02638238fdeaf53727d49466eae7ae3d151a0d271e4396

SHA512
2af9979f494bbdb574de309a20feb9bace1b7d71bbc394ac363d1a2f42e6b86fd11f1c23f20ed501aaf4d4c089f9839856b32570abaea87668c07acbf9cbbaea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\c9dbb3a5-a711-4891-b2bf-de7ff1d021b0

Filesize
982B

MD5
7cda52524a56e9381ad9ed909a2f7528

SHA1
7f692f6e853fe8f03e3929a5289af1815e61bff5

SHA256
09a175d7a7a4bcec1f03453c14ff74a4e8a9c0f3e91f0f590f491eedca07b32d

SHA512
ef3b892997aed167a75b49456847745f7fea4cc336c96b3fdb3e6327d2ce50471ce75c45c4e3310d5ff4a59c5149858ed4d8087c95dee99f1445f1fc6fa87aa8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
11KB

MD5
a0c4c34d34b2dd352f856066d072f276

SHA1
c0b8b88b6918257ee2e880ac04a1bd989a7c6200

SHA256
5dac04f103f5432024be7886f283810010688bd9db23dc9b5bf0a0c322646638

SHA512
d32c58ac648c3d97c026da559a6213973581021b59e6cbf3ad692029067072b28aa735fad42d4b784bec700357a17de31fb19641e289d0418474e3dbfaad4e4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
10KB

MD5
bd8ae127f84af275dd0bebe6406f2f30

SHA1
2d190f8188af2bc59afdaee8f142bb5d176490f3

SHA256
6f7321125e07b510c39771f96e5d0aad676c12239cec43f850cc895e49a323f0

SHA512
c87ab87f00a3678039aee10df495b4f6a43826ecf7cc85f2aca2fe0424284f06b12d7484aecd52738e9d6d9fb81132dbd324d4b3e3de84f8569b6197c621a484

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
11KB

MD5
54e1285879fa5f4e0887d1388dacce21

SHA1
dccd387174138250172aa8781c4a48bd206e10d8

SHA256
dc1122adb8af80968430d27e10d51f3f5548c2d8d8983131be85b93f54bfa20c

SHA512
4dc2ee3ee05a550acc91c7b1a4d4fd0bf5a9014740d51923e195f4254e12b0e5fa9728e986d61f436b7d6b171bea9866f98ed33695969050af84995b76b0616e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

Filesize
10KB

MD5
abe8a994935e831859b2f444a6c3d334

SHA1
fe8a9b15494141b23d54eeb6b2a0994868b14ebb

SHA256
2d834415ba90f2d1cbd3cd92d4bcd8c266a904baf894923f771ea1c35d5d13d7

SHA512
8d37a5456c4b7a9c31574a7ee464873dc06e8607c659b84a00306325e84c9cda1ca4d402c9c3c0e8690622dd380ab035cdd5d3014221631a76b71e1b1fa448dd

Download Submit
C:\Windows\Zelo-Client.jar

Filesize
639KB

MD5
8bac893810be1acf6b083f16363a73cf

SHA1
d291c9dc85d7df6f1222d8bcaf5bb10e2578fa56

SHA256
739d2d19e79d073f9e1d1489c145879cff44c2c91e5d691d53ccc8599ac8a467

SHA512
e9dcb3dcd6924b61c67af33e88d59bc9d6b2e626234eb09aa18463e09622670d1d220024e9a504b44de23ca88bb426f295968e8d7dd644f49128c8ca7ed4d629

Download Submit
memory/940-258-0x00007FF858890000-0x00007FF8588A0000-memory.dmp

Filesize
64KB

Download
memory/940-253-0x00007FF858890000-0x00007FF8588A0000-memory.dmp

Filesize
64KB

Download
memory/940-263-0x00007FF8567A0000-0x00007FF8567B0000-memory.dmp

Filesize
64KB

Download
memory/940-255-0x00007FF858890000-0x00007FF8588A0000-memory.dmp

Filesize
64KB

Download
memory/940-256-0x00007FF858890000-0x00007FF8588A0000-memory.dmp

Filesize
64KB

Download
memory/940-262-0x00007FF8567A0000-0x00007FF8567B0000-memory.dmp

Filesize
64KB

Download
memory/940-254-0x00007FF858890000-0x00007FF8588A0000-memory.dmp

Filesize
64KB

Download
memory/2408-319-0x000001F3FF5B0000-0x000001F3FF5B1000-memory.dmp

Filesize
4KB

Download
memory/2408-73-0x000001F381410000-0x000001F381680000-memory.dmp

Filesize
2.4MB

Download
memory/2408-1653-0x000001F381410000-0x000001F381680000-memory.dmp

Filesize
2.4MB

Download
memory/2408-60-0x000001F3FF5B0000-0x000001F3FF5B1000-memory.dmp

Filesize
4KB

Download
memory/2408-67-0x000001F3FF5B0000-0x000001F3FF5B1000-memory.dmp

Filesize
4KB

Download
memory/2408-30-0x000001F381410000-0x000001F381680000-memory.dmp

Filesize
2.4MB

Download
memory/2408-98-0x000001F3FF5B0000-0x000001F3FF5B1000-memory.dmp

Filesize
4KB

Download
memory/2408-58-0x000001F3FF5B0000-0x000001F3FF5B1000-memory.dmp

Filesize
4KB

Download
memory/2408-92-0x000001F3FF5B0000-0x000001F3FF5B1000-memory.dmp

Filesize
4KB

Download
memory/2408-54-0x000001F3FF5B0000-0x000001F3FF5B1000-memory.dmp

Filesize
4KB

Download
memory/2408-37-0x000001F3FF5B0000-0x000001F3FF5B1000-memory.dmp

Filesize
4KB

Download
memory/3776-1-0x0000000000D00000-0x0000000000DA8000-memory.dmp

Filesize
672KB

Download
memory/3776-0-0x00007FF87A7F3000-0x00007FF87A7F5000-memory.dmp

Filesize
8KB

Download
memory/3776-9-0x00007FF87A7F0000-0x00007FF87B2B1000-memory.dmp

Filesize
10.8MB

Download
memory/3776-2-0x00007FF87A7F0000-0x00007FF87B2B1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-36-0x00007FF87A7F0000-0x00007FF87B2B1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-10-0x00007FF87A7F0000-0x00007FF87B2B1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-21-0x0000024922800000-0x0000024922822000-memory.dmp

Filesize
136KB

Download
memory/4736-29-0x00007FF87A7F0000-0x00007FF87B2B1000-memory.dmp

Filesize
10.8MB

Download