42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2

Analysis

max time kernel
151s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
Size

1.9MB
MD5

cfc99b9f63979b39e37bbe2a8811b8a8
SHA1

9a2061edb53df5a937b455938185b0cb6aeb46c8
SHA256

42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2
SHA512

8eda0061246dec5d8bcac8b7c27786ed3cdd94b61f5c70bd2d58642b7a8246d23465aea1209d3e2b0ab8e6ebeb3abad6604f5c7fc426edf7bd7d7fabf6f79a84
SSDEEP

49152:lXz+1OvV11rjqdO5tFL16WT53GJAkpeVCmJUn8pOX:lXz+1Ot1lWdocWT52ukmCmCn8pOX

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1900	winsys.exe
1696	AntiCheat.exe
1540	winsys.exe
1968	AntiCheat.exe
2004	systeme.exe

Loads dropped DLL 10 IoCs

pid	Process
1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
1900	winsys.exe
1816	cmd.exe
1816	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsys.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winsys.exe"	winsys.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	systeme.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsys.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winsys.exe"	systeme.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 1540	1900	winsys.exe	29
PID 1696 set thread context of 1968	1696	AntiCheat.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
File opened for modification	C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1540	winsys.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1540	winsys.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1900	1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	26
PID 1608 wrote to memory of 1900	1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	26
PID 1608 wrote to memory of 1900	1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	26
PID 1608 wrote to memory of 1900	1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	26
PID 1608 wrote to memory of 1696	1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	27
PID 1608 wrote to memory of 1696	1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	27
PID 1608 wrote to memory of 1696	1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	27
PID 1608 wrote to memory of 1696	1608	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	27
PID 1900 wrote to memory of 1540	1900	winsys.exe	29
PID 1900 wrote to memory of 1540	1900	winsys.exe	29
PID 1900 wrote to memory of 1540	1900	winsys.exe	29
PID 1900 wrote to memory of 1540	1900	winsys.exe	29
PID 1900 wrote to memory of 1540	1900	winsys.exe	29
PID 1900 wrote to memory of 1540	1900	winsys.exe	29
PID 1900 wrote to memory of 1540	1900	winsys.exe	29
PID 1900 wrote to memory of 1540	1900	winsys.exe	29
PID 1900 wrote to memory of 1540	1900	winsys.exe	29
PID 1900 wrote to memory of 1540	1900	winsys.exe	29
PID 1900 wrote to memory of 1540	1900	winsys.exe	29
PID 1900 wrote to memory of 1540	1900	winsys.exe	29
PID 1696 wrote to memory of 1968	1696	AntiCheat.exe	30
PID 1696 wrote to memory of 1968	1696	AntiCheat.exe	30
PID 1696 wrote to memory of 1968	1696	AntiCheat.exe	30
PID 1696 wrote to memory of 1968	1696	AntiCheat.exe	30
PID 1696 wrote to memory of 1968	1696	AntiCheat.exe	30
PID 1696 wrote to memory of 1968	1696	AntiCheat.exe	30
PID 1696 wrote to memory of 1968	1696	AntiCheat.exe	30
PID 1696 wrote to memory of 1968	1696	AntiCheat.exe	30
PID 1696 wrote to memory of 1968	1696	AntiCheat.exe	30
PID 1540 wrote to memory of 1816	1540	winsys.exe	32
PID 1540 wrote to memory of 1816	1540	winsys.exe	32
PID 1540 wrote to memory of 1816	1540	winsys.exe	32
PID 1540 wrote to memory of 1816	1540	winsys.exe	32
PID 1816 wrote to memory of 2004	1816	cmd.exe	34
PID 1816 wrote to memory of 2004	1816	cmd.exe	34
PID 1816 wrote to memory of 2004	1816	cmd.exe	34
PID 1816 wrote to memory of 2004	1816	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
"C:\Users\Admin\AppData\Local\Temp\42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\winsys.exe
  "C:\Users\Admin\AppData\Local\Temp\winsys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\winsys.exe
    "C:\Users\Admin\AppData\Local\Temp\winsys.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2004
- C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe
  "C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe
    "C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe"
    3⤵
    - Executes dropped EXE
    PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe

Filesize
939KB

MD5
0b0451269c4ec45d866a7f0fdb46e1c3

SHA1
4f9267996a7a4396401f5294631a5dce48bae6bc

SHA256
9fc979ce83fb7df0c71a5112bf6ce848264ad8981951ca688bb06782b59247a6

SHA512
c5e954b375307c9788f22ff9a7dfa4926f3e2804bb997da2b5404b872e2459572c8045d240786a444836e1e269ab3074840f72451f2580ad4755ade319ee8056

Download Submit
C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe

Filesize
939KB

MD5
0b0451269c4ec45d866a7f0fdb46e1c3

SHA1
4f9267996a7a4396401f5294631a5dce48bae6bc

SHA256
9fc979ce83fb7df0c71a5112bf6ce848264ad8981951ca688bb06782b59247a6

SHA512
c5e954b375307c9788f22ff9a7dfa4926f3e2804bb997da2b5404b872e2459572c8045d240786a444836e1e269ab3074840f72451f2580ad4755ade319ee8056

Download Submit
C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe

Filesize
939KB

MD5
0b0451269c4ec45d866a7f0fdb46e1c3

SHA1
4f9267996a7a4396401f5294631a5dce48bae6bc

SHA256
9fc979ce83fb7df0c71a5112bf6ce848264ad8981951ca688bb06782b59247a6

SHA512
c5e954b375307c9788f22ff9a7dfa4926f3e2804bb997da2b5404b872e2459572c8045d240786a444836e1e269ab3074840f72451f2580ad4755ade319ee8056

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsys.exe

Filesize
795KB

MD5
215c4dd821b8ffc34741b204953420bb

SHA1
13f5e03b0bbbe5b5d8f5d39dbd65a83ba4d38594

SHA256
5fb48b316c9a4fdf4331922144f02e8a73af481578ad48d4ae5adf7531b63648

SHA512
5e0cc7dc49a7d93c415416b57a18b054006e4bfa87cbd404d0ce1c660a7c6dd9da8d55f13d52cf7e34d8d9673b1f58c7e664d4890865f358894eb91a2c5e09a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsys.exe

Filesize
795KB

MD5
215c4dd821b8ffc34741b204953420bb

SHA1
13f5e03b0bbbe5b5d8f5d39dbd65a83ba4d38594

SHA256
5fb48b316c9a4fdf4331922144f02e8a73af481578ad48d4ae5adf7531b63648

SHA512
5e0cc7dc49a7d93c415416b57a18b054006e4bfa87cbd404d0ce1c660a7c6dd9da8d55f13d52cf7e34d8d9673b1f58c7e664d4890865f358894eb91a2c5e09a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsys.exe

Filesize
795KB

MD5
215c4dd821b8ffc34741b204953420bb

SHA1
13f5e03b0bbbe5b5d8f5d39dbd65a83ba4d38594

SHA256
5fb48b316c9a4fdf4331922144f02e8a73af481578ad48d4ae5adf7531b63648

SHA512
5e0cc7dc49a7d93c415416b57a18b054006e4bfa87cbd404d0ce1c660a7c6dd9da8d55f13d52cf7e34d8d9673b1f58c7e664d4890865f358894eb91a2c5e09a1

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe

Filesize
939KB

MD5
0b0451269c4ec45d866a7f0fdb46e1c3

SHA1
4f9267996a7a4396401f5294631a5dce48bae6bc

SHA256
9fc979ce83fb7df0c71a5112bf6ce848264ad8981951ca688bb06782b59247a6

SHA512
c5e954b375307c9788f22ff9a7dfa4926f3e2804bb997da2b5404b872e2459572c8045d240786a444836e1e269ab3074840f72451f2580ad4755ade319ee8056

Download Submit
\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe

Filesize
939KB

MD5
0b0451269c4ec45d866a7f0fdb46e1c3

SHA1
4f9267996a7a4396401f5294631a5dce48bae6bc

SHA256
9fc979ce83fb7df0c71a5112bf6ce848264ad8981951ca688bb06782b59247a6

SHA512
c5e954b375307c9788f22ff9a7dfa4926f3e2804bb997da2b5404b872e2459572c8045d240786a444836e1e269ab3074840f72451f2580ad4755ade319ee8056

Download Submit
\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe

Filesize
939KB

MD5
0b0451269c4ec45d866a7f0fdb46e1c3

SHA1
4f9267996a7a4396401f5294631a5dce48bae6bc

SHA256
9fc979ce83fb7df0c71a5112bf6ce848264ad8981951ca688bb06782b59247a6

SHA512
c5e954b375307c9788f22ff9a7dfa4926f3e2804bb997da2b5404b872e2459572c8045d240786a444836e1e269ab3074840f72451f2580ad4755ade319ee8056

Download Submit
\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe

Filesize
939KB

MD5
0b0451269c4ec45d866a7f0fdb46e1c3

SHA1
4f9267996a7a4396401f5294631a5dce48bae6bc

SHA256
9fc979ce83fb7df0c71a5112bf6ce848264ad8981951ca688bb06782b59247a6

SHA512
c5e954b375307c9788f22ff9a7dfa4926f3e2804bb997da2b5404b872e2459572c8045d240786a444836e1e269ab3074840f72451f2580ad4755ade319ee8056

Download Submit
\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe

Filesize
939KB

MD5
0b0451269c4ec45d866a7f0fdb46e1c3

SHA1
4f9267996a7a4396401f5294631a5dce48bae6bc

SHA256
9fc979ce83fb7df0c71a5112bf6ce848264ad8981951ca688bb06782b59247a6

SHA512
c5e954b375307c9788f22ff9a7dfa4926f3e2804bb997da2b5404b872e2459572c8045d240786a444836e1e269ab3074840f72451f2580ad4755ade319ee8056

Download Submit
\Users\Admin\AppData\Local\Temp\winsys.exe

Filesize
795KB

MD5
215c4dd821b8ffc34741b204953420bb

SHA1
13f5e03b0bbbe5b5d8f5d39dbd65a83ba4d38594

SHA256
5fb48b316c9a4fdf4331922144f02e8a73af481578ad48d4ae5adf7531b63648

SHA512
5e0cc7dc49a7d93c415416b57a18b054006e4bfa87cbd404d0ce1c660a7c6dd9da8d55f13d52cf7e34d8d9673b1f58c7e664d4890865f358894eb91a2c5e09a1

Download Submit
\Users\Admin\AppData\Local\Temp\winsys.exe

Filesize
795KB

MD5
215c4dd821b8ffc34741b204953420bb

SHA1
13f5e03b0bbbe5b5d8f5d39dbd65a83ba4d38594

SHA256
5fb48b316c9a4fdf4331922144f02e8a73af481578ad48d4ae5adf7531b63648

SHA512
5e0cc7dc49a7d93c415416b57a18b054006e4bfa87cbd404d0ce1c660a7c6dd9da8d55f13d52cf7e34d8d9673b1f58c7e664d4890865f358894eb91a2c5e09a1

Download Submit
\Users\Admin\AppData\Local\Temp\winsys.exe

Filesize
795KB

MD5
215c4dd821b8ffc34741b204953420bb

SHA1
13f5e03b0bbbe5b5d8f5d39dbd65a83ba4d38594

SHA256
5fb48b316c9a4fdf4331922144f02e8a73af481578ad48d4ae5adf7531b63648

SHA512
5e0cc7dc49a7d93c415416b57a18b054006e4bfa87cbd404d0ce1c660a7c6dd9da8d55f13d52cf7e34d8d9673b1f58c7e664d4890865f358894eb91a2c5e09a1

Download Submit
\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
memory/1540-86-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1540-74-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1540-75-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1540-77-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1540-79-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1540-82-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1540-116-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1540-92-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1540-84-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1540-81-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1540-107-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1540-89-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1608-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1696-71-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-69-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-103-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-90-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-72-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-70-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1968-94-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1968-99-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1968-109-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-106-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1968-104-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1968-96-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1968-98-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1968-93-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1968-117-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-118-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download