amadey | 162febbe2934c9ffbaf6134fe313e02fe40474fef3a4f97beb7a325118cc98c5

Analysis

max time kernel
21s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.8MB
MD5

9a21c9f1ea95adb56b592de8d905d554
SHA1

81ebfff6a11b00ff5355025b2adddcbd0ab2e23e
SHA256

162febbe2934c9ffbaf6134fe313e02fe40474fef3a4f97beb7a325118cc98c5
SHA512

e93bc208dfe4a9a42fe2f5f2f1daf1e933b342b30d19d7a4a1de90eb21dd3a07c2ad9fa931cee0aedb1ebfbba8846ec89ca75ac215c930be1912c74fcf394ca0
SSDEEP

49152:DovShhuVCw0IMBKL+OPgBWpYTzUnrVtwwQGTrn:hLEMBK5PgspOzQVt

Score

10^/10

amadey lumma stealc 9c9aa5 tale discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

http://185.215.113.206

Attributes

url_path
/6c4adf523b719729.php

Extracted

Family

lumma

https://goalyfeastz.site/api

https://contemteny.site/api

https://dilemmadu.site/api

https://authorisev.site/api

https://necklacedmny.store/api

https://founpiuer.store/api

https://navygenerayk.store/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6a6db205a2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2fb20e636c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	222.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2fb20e636c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2fb20e636c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	222.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	222.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6a6db205a2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6a6db205a2.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	file.exe

Executes dropped EXE 5 IoCs

pid	Process
4988	skotes.exe
2604	skotes.exe
5072	222.exe
2604	6a6db205a2.exe
3924	2fb20e636c.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	2fb20e636c.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	222.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	6a6db205a2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a6db205a2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1003322001\\6a6db205a2.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2fb20e636c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1003323001\\2fb20e636c.exe"	skotes.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023c24-92.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2480	file.exe
4988	skotes.exe
2604	skotes.exe
5072	222.exe
2604	6a6db205a2.exe
3924	2fb20e636c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3120	5072	WerFault.exe	96
4540	5072	WerFault.exe	96
3700	5072	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a6db205a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fb20e636c.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2088	taskkill.exe
1612	taskkill.exe
2688	taskkill.exe
748	taskkill.exe
1448	taskkill.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2480	file.exe
2480	file.exe
4988	skotes.exe
4988	skotes.exe
2604	skotes.exe
2604	skotes.exe
5072	222.exe
5072	222.exe
2604	6a6db205a2.exe
2604	6a6db205a2.exe
3924	2fb20e636c.exe
3924	2fb20e636c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2480	file.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 4988	2480	file.exe	87
PID 2480 wrote to memory of 4988	2480	file.exe	87
PID 2480 wrote to memory of 4988	2480	file.exe	87
PID 4988 wrote to memory of 5072	4988	skotes.exe	96
PID 4988 wrote to memory of 5072	4988	skotes.exe	96
PID 4988 wrote to memory of 5072	4988	skotes.exe	96
PID 4988 wrote to memory of 2604	4988	skotes.exe	108
PID 4988 wrote to memory of 2604	4988	skotes.exe	108
PID 4988 wrote to memory of 2604	4988	skotes.exe	108
PID 4988 wrote to memory of 3924	4988	skotes.exe	112
PID 4988 wrote to memory of 3924	4988	skotes.exe	112
PID 4988 wrote to memory of 3924	4988	skotes.exe	112

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\1003309001\222.exe
    "C:\Users\Admin\AppData\Local\Temp\1003309001\222.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1492
      4⤵
      Program crash
      PID:4540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1516
      4⤵
      Program crash
      PID:3120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1516
      4⤵
      Program crash
      PID:3700
- - C:\Users\Admin\AppData\Local\Temp\1003322001\6a6db205a2.exe
    "C:\Users\Admin\AppData\Local\Temp\1003322001\6a6db205a2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2604
- - C:\Users\Admin\AppData\Local\Temp\1003323001\2fb20e636c.exe
    "C:\Users\Admin\AppData\Local\Temp\1003323001\2fb20e636c.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3924
- - C:\Users\Admin\AppData\Local\Temp\1003324001\376c53a9b6.exe
    "C:\Users\Admin\AppData\Local\Temp\1003324001\376c53a9b6.exe"
    3⤵
    PID:452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:2688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:1448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:1612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:2088
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:1936
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:3944
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2510e412-cf3e-4e34-9270-ad1c96b0377d} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" gpu
        6⤵
        
        PID:2372
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f59b9352-5c5c-48d8-9b5c-d40bf0321dcd} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" socket
        6⤵
        
        PID:808
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3160 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41570b15-59c7-4687-9392-2b3ba29a5a0c} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" tab
        6⤵
        
        PID:3564
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3408 -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 3416 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0db572af-506a-4878-be87-a7718b336ef8} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" tab
        6⤵
        
        PID:1712
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 4840 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03975498-58c8-4e06-a5e1-46e2018962bb} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" utility
        6⤵
        
        PID:5328
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 4956 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6144897-7f92-4617-af00-4b971846317a} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" tab
        6⤵
        
        PID:6080
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5604 -prefMapHandle 5608 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bcf812f-a1a1-4f08-b50b-73370e83c102} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" tab
        6⤵
        
        PID:6092
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 5 -isForBrowser -prefsHandle 5900 -prefMapHandle 5896 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e63abb0-0631-4405-b9df-1aafd3502007} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" tab
        6⤵
        
        PID:6112
- - C:\Users\Admin\AppData\Local\Temp\1003325001\40c818820c.exe
    "C:\Users\Admin\AppData\Local\Temp\1003325001\40c818820c.exe"
    3⤵
    PID:5676

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5072 -ip 5072
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5072 -ip 5072
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5072 -ip 5072
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5072 -ip 5072
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5072 -ip 5072
1⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
cc2d2f170aff5f66f8415ec16231b612

SHA1
3346ed0b24f7719c8861db05641ec439927048f8

SHA256
af1569e905808d094317dd497360d0139a8e886ac67b2e8d8f1bd47091261c28

SHA512
95cc70ecafb00b76e4f63ed8b7ee5dc727f82805bdc6c6c8ee8ec81715799ec7259df3740dc0d856d652ff5f035564334cfc90b46a134a8690b2efaa37c3911f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99

Filesize
13KB

MD5
52d090fc72632c658eeb8c6935ff172e

SHA1
88158138fba8c70d1abde97ba20bf004fb9475d7

SHA256
63fa9b61bc1be87e8339234407d8a701febf8ccec98afcc51baa3d2fbe8e9b17

SHA512
fd780abca033425aa6a342df95fa1d0b38feb2af8b938f3bc3babffe6642d5c0e541e412d63863b9733320c964fc039962b3e70cc4b2c483d4f6c435cdbfdc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003309001\222.exe

Filesize
2.9MB

MD5
e470e1efdf057bf0cb67f5f8e7d146f5

SHA1
9c1db682706e84bc5c62eb94ba286d040d21bd16

SHA256
cb15ac6b923950cc436643ca20417973952a9bee1c80d1c0f1bd9c564bd55b0a

SHA512
49eaafe4840d8244aab845e762e1027cb32130c7b3f8891c259512429ba1fff69fe27a94fc604f9d4bf01d17e05ab6bad91cfe46476c175034d7b4d40b968220

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003322001\6a6db205a2.exe

Filesize
2.8MB

MD5
74ce0c33923116eb0668ba3302893ef9

SHA1
f69c905e2976b0c107649392072976e9e3a0e445

SHA256
4f14a84b40dba7b3b4cfdf6eeb1ff46933c092b69f47e9dbca4ce20110c8a722

SHA512
6fbd66fecccc6d92530e6a65211c9dbab597780fc80afaa57f5b37fe0b3cbad7a12c590df2127360b2a4f624f83e6b193d4e628ff45718fe3177fc02a1193b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003323001\2fb20e636c.exe

Filesize
2.0MB

MD5
86f793173f02f6c3e82962700f9d0393

SHA1
6f31095841204037ef18db8dc314037cd41eea6e

SHA256
b81182e20f0c54c1b903045a3d0bf63f58942ea66e70c4a9516c8338ecdae03c

SHA512
94cc0b09d70ddec5bf74eee5ba89a06a90610c7c949a76a08e3464a9082db180365b094e81de3705157584f138b803b0eb61102cd5cf435186d16eab5cce84b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003324001\376c53a9b6.exe

Filesize
898KB

MD5
88d340af1e3ef9728a8814364a2b56cd

SHA1
8d92384e0c55da6a7015ecb1675da7c638400e33

SHA256
48f6db09082f005282d3099fc9caeba22899b8ad3c3720be7ee251fa9479a9bb

SHA512
6d85de8f255a9066d2389239cefc194e8cf53f465032ef67fb36810f26b6cfbefdb1d548d25c0b17f4a2134ad0059cfc31e2ba64a5050b5eb25e4eeb18ee5f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003325001\40c818820c.exe

Filesize
2.6MB

MD5
2bc1796e07c6d66c07e2386051c4f951

SHA1
93d3cd21985b7e3e4db010fd5ac204881718ad21

SHA256
f369e46b9e8d2e340cc2fff5ae3783c7dc29603686b80fa6a470c7806bc77da0

SHA512
e7fb3f70807ba99183a2bfe98dd83fd2759e747f4ba125a6dc90f146e7e73e9d28ed69e6040f3715099e42227af8baa2daf0fb55c613092ba29b512adef469ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.8MB

MD5
9a21c9f1ea95adb56b592de8d905d554

SHA1
81ebfff6a11b00ff5355025b2adddcbd0ab2e23e

SHA256
162febbe2934c9ffbaf6134fe313e02fe40474fef3a4f97beb7a325118cc98c5

SHA512
e93bc208dfe4a9a42fe2f5f2f1daf1e933b342b30d19d7a4a1de90eb21dd3a07c2ad9fa931cee0aedb1ebfbba8846ec89ca75ac215c930be1912c74fcf394ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
11.6MB

MD5
fabea81520534cf266d848dc68c5a1b7

SHA1
5e08b8873064193d696544fcbaccaecf97730033

SHA256
a7ff057af5f600ef3fb56c348725036a1accf35a565da3dd97c4595ae6e7b8df

SHA512
064efbdf23b75e4fab553239fff0956b2f903f5cffc4dbbed4d3ff08f616744767ee3d931c251c81ba03eecf6d2a7a195ba8762313a8cfa610b516ae98dc5a9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
7KB

MD5
b409828274b5b7df6708a5e494e73788

SHA1
87ffe10d492f70becbf749503b09ef8b624aa8e6

SHA256
a6b5a5ec5fc895e5359a79660bc12d0d80bb08cf3012da7b0f8dab1bf5e397bb

SHA512
07d78cbe18a57572a38f1c27c4a80cea038d7e92335a01ae23bbf72a80219d5931a62e90d8fd630ae27dd4b98a776fe93006a30ea16a44159ffad8e38ddac3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
11KB

MD5
0f7c2ff7b67378533ce61b1b78568302

SHA1
b3f071b4207a2f0a5d86010dc57ead8473263d01

SHA256
83273653c44118af70501a79094280174e363b4a265943ab8d0e69d0f338f602

SHA512
8dd3234de66c2cafa31dcfc490554a040ac7f0a0322b8ba48a755f8da575708fe0ab37f5164fd0e04fbff2d26f0f5ba9d70c5827d85a5ae2d9fce99796cd87c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
17KB

MD5
91e8ddbf559776bb809f3ab069258f62

SHA1
9277abce9579c6cb4058bec7378066f70d3b3c47

SHA256
0c4f0fa9f9eb2daa19758969d12d5357f6c934f6721ed01f322b7aa5756d63e7

SHA512
e4e454c9ad526a27ab5c9fb1137aea2042eb0fb945b293c9197f0888ba545ae847323c2469798694fb3471b5b3ceb9adb32843d4e215e56117184b4e751e7ea4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
3fd679334198b299cbfceb54948e2682

SHA1
da705da034af9c6de1e91e399ec498a3294355f2

SHA256
e04ec54f2ccaaa938267dd74a38de489eaf2d6dcf391132d25c4227bf2c4a4c8

SHA512
83b967a6a3f68fa2e1cfca29cb9c3e88de5e649e8bff58ca72c6d4384fac7bdbb4451c756f01205420fc4f5aba2334790b0aaf1238a268f371ff5b053780cd2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d2f3d2534c2af1b8dc1f0ad338e7b02c

SHA1
2da6cb0095716772aa39115d89d1cf442b865013

SHA256
4d0d0a61e9608e23f92b1f17d95fce68c71d85073bd135eaffb215841900d010

SHA512
8b8ec4a6e820485c42b98f0cab8a702cc94f31e125b6f5399134a0d9c77195e5b2d23bb427e7972cfc61f6be054811f0dc2c4e2e7e4f71e191ff4825cbf6562e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
27KB

MD5
c577bdd079c53bd83465b010d84a0b62

SHA1
df0cd01be81f7c5200f4a0fe2665e421de88cdbc

SHA256
d3bd9df4dd1750da3ff0b14678b6cb899059ca82bb99f7611468de76e05fdace

SHA512
b0375158f666eec578667d1475e4fe8b345793b0c97315bd38963d9a6c7b9a66e41fcd416432d6a3063cef40d6227423af968d8ca6948aee07380d9cb58bd775

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\241fe9e8-5d03-411d-81be-79cd658e5366

Filesize
26KB

MD5
3ebbf138547e627db362fd1834956185

SHA1
f9c5dddd5106246eff537e8492f0cabcb715deb6

SHA256
b0c888246f791d2338e2f82dcf1d7f18bd54516d3b5bbb88ca13f466c3cdb5c8

SHA512
7f95ff266a8c2177430970d8202027a9ba2d4777f7216138bd0fa475b9b23146b036ac62407f636f28c008cbcb74dac1c3f809adf286f2f22d8c21379d2c35a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\56be6382-f4ef-4b1f-8930-9b9ab9eb4dae

Filesize
671B

MD5
01773c50dca1e45daa3df585663ccc27

SHA1
f35a890f0c63dbcae1ba5e8a186219638ef71cc7

SHA256
485c19debd0072b7967f89f34585ce5ceb0ec54c357f2e2ed813f7eddc5ff2d9

SHA512
65b0e0fda3ac12733595836593810edb0eab2b3615635ddc6843ef2f1bfe6c4ae225bc68b0c7ac1e8763de6a10f50f05e43d0f54f7490c9f65ebc2b12fce0618

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\dce3b6d8-7ae3-41c1-9ccb-73c0d4adf993

Filesize
982B

MD5
e8b65491b38d7d0e34d62a45e26c3792

SHA1
5ea7949c893beda36d0f290ee5792dd9be99c65c

SHA256
d9e9b23a6e976490f608764e898af14022a1cf5264591d75834a06bd23d354e1

SHA512
de1eee778d40fdb3f6aef380f4f58c0c4a0ba2133837f7235802d5a26c465eb43016e988ff1fba98f644e7f329ea13225672aec1138583162418a6d95f964dbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
9.9MB

MD5
9b0eb405d11390a24aa0c2f0a9603140

SHA1
cd39b7b93570ec88a271a4b056998f306dad53bf

SHA256
72a2083d70b36f1cf325a0e4b126729343c8ee0fa0d07b9c243327665b17b864

SHA512
7e78d6dadf3a0c3b2e64232539d72cc2f128ed8feaf454d284a65d563b36e3e88cdeda0fbcfa9b07023f51fb2627549c137cea28b6b549d7b1871dc16bc911fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js

Filesize
12KB

MD5
b96b523846401555510ba100e0a5712c

SHA1
77c494313c9d848e84317cfef51d972976399cb7

SHA256
7b96830584645761d3880aab8b720459e4eeb754ce6c63ef08f2c987204d6fb5

SHA512
3e2d28ef18017e9bfbef6fc275087e95f0de413236fc0edda3b8f77525d71e7b7da6a4c7cab006135ac19702aa36d415742a8fdb1be774d8624c59a7d0517228

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js

Filesize
11KB

MD5
3bf144f85d8ed3b5a810120d1f17efcb

SHA1
ef3b868b4e02d2f291b103d45f7f231d3bfe2b47

SHA256
162dc010599bd30ebb034445ef0041c10dae531f1c58dfa9db8e3a8d3e95b01d

SHA512
2539c222173c8130cc89e89988223d48e5848231bbcfb4b5daac2e2b13aca00e876f4c0034c6e6646765eb0be74bce835bc7808cbc76a0eb3b11d7e5ca1782bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.1MB

MD5
2898c5cd8f4660636424bbe8409821c0

SHA1
febbfc724ab9db2684d6ad8caac80734ea8d5847

SHA256
8abf4142b1d1751941ff2c34806bf2a4035b062b6f2461b275b4780ec1ecfb91

SHA512
6075483acb8a93423744f57dbbe561b7baefc0f6ca0ad1095b9d3aee5fc866a790305bfc6231ebac78fd909abda7a0c977189dbda411464260167f8173fe142a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
9.5MB

MD5
217ac79f7d7eb3cd7cabf3f6fed14b49

SHA1
aee60576b22eab40bd80f35ea0abd71d1b8536be

SHA256
e3b8fcaa1c4e9d316f878f71854151c5732da48334a573d32a9d81a0e24671ad

SHA512
d75c05e5202967847f5f17df92aae2d66c3dfef678208bb4ec4e9f2984a535f4bc20101cf79506c4a9e822283d6cf77a8d5cd1f6ad2ca52fcb7fb2af35ba66e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.9MB

MD5
7e8ce090cfff3efe3c9831f82716d1e9

SHA1
81c1e567f8faa0e581013cc1be975e7803fd1795

SHA256
8eb36ea0f1f691eb1a241ef9fcf04132bf045aad17776f0911c0cce057dc68f2

SHA512
b8511b3f0a62a1e0775da152118001bf7af4721fa25b7f4fb9f76ea10283ecc5e06627bdb06b54fb6c1a299a58471018ed919095a62bf94d4bb2f1022d11d652

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.9MB

MD5
0dfdddb75dd7f320549254ada5f91bb4

SHA1
39d03cd0ff102022ef104bd5a3998d23e329e994

SHA256
1666f1ffec19ed26bd409bb891b37783a9d96906bb031793a42f6480af8714b3

SHA512
5b2e3e8034b312b3a31b2193e127e138b2142651e0c34497ccb345ba6d25750fcbcbce91b998f870715c58be5ccbd4d19a85d7732c13b3e72f2be56fec00db08

Download Submit
memory/2480-2-0x0000000000EA1000-0x0000000000ECF000-memory.dmp

Filesize
184KB

Download
memory/2480-0-0x0000000000EA0000-0x0000000001351000-memory.dmp

Filesize
4.7MB

Download
memory/2480-3-0x0000000000EA0000-0x0000000001351000-memory.dmp

Filesize
4.7MB

Download
memory/2480-4-0x0000000000EA0000-0x0000000001351000-memory.dmp

Filesize
4.7MB

Download
memory/2480-1-0x0000000077294000-0x0000000077296000-memory.dmp

Filesize
8KB

Download
memory/2480-18-0x0000000000EA0000-0x0000000001351000-memory.dmp

Filesize
4.7MB

Download
memory/2604-26-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/2604-27-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/2604-65-0x00000000001D0000-0x00000000004DC000-memory.dmp

Filesize
3.0MB

Download
memory/2604-66-0x00000000001D0000-0x00000000004DC000-memory.dmp

Filesize
3.0MB

Download
memory/2604-29-0x0000000000BA1000-0x0000000000BCF000-memory.dmp

Filesize
184KB

Download
memory/2604-25-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/2604-30-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/3924-83-0x0000000000910000-0x000000000103C000-memory.dmp

Filesize
7.2MB

Download
memory/3924-84-0x0000000000910000-0x000000000103C000-memory.dmp

Filesize
7.2MB

Download
memory/4948-2743-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4948-2742-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-484-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-2706-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-2745-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-490-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-15-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-46-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-22-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-106-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-2744-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-21-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-20-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-2740-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-2739-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-450-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-24-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-19-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-2738-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-49-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-1332-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-2735-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-48-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/4988-2320-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/5072-47-0x0000000000330000-0x0000000000648000-memory.dmp

Filesize
3.1MB

Download
memory/5072-82-0x0000000000330000-0x0000000000648000-memory.dmp

Filesize
3.1MB

Download
memory/5072-87-0x0000000000330000-0x0000000000648000-memory.dmp

Filesize
3.1MB

Download
memory/5404-1452-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/5404-1394-0x0000000000BA0000-0x0000000001051000-memory.dmp

Filesize
4.7MB

Download
memory/5676-486-0x0000000000C80000-0x0000000000F2A000-memory.dmp

Filesize
2.7MB

Download
memory/5676-469-0x0000000000C80000-0x0000000000F2A000-memory.dmp

Filesize
2.7MB

Download
memory/5676-471-0x0000000000C80000-0x0000000000F2A000-memory.dmp

Filesize
2.7MB

Download
memory/5676-470-0x0000000000C80000-0x0000000000F2A000-memory.dmp

Filesize
2.7MB

Download
memory/5676-489-0x0000000000C80000-0x0000000000F2A000-memory.dmp

Filesize
2.7MB

Download