Overview

overview

10

Static

static

3

110da8673e...c1.exe

windows7-x64

10

110da8673e...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04-09-2023 23:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe

  • Size

    939KB

  • MD5

    bec9b4e7943863ac7cd194c47ff11157

  • SHA1

    6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99

  • SHA256

    110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1

  • SHA512

    e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

  • SSDEEP

    24576:hs3rdwVbrcTtED4wcEDzHMC4ITeo8blsd9MPbYhwCDwg7UBzMzd:e3r88Tmk4PsvC8BsdsbA7UZMzd

Score
10/10
fatalratevasioninfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 2 IoCs
    ratinfostealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
    "C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2676
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command -
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2500
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command -
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1816
    • C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
      "C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2108
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command -
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1544
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1948
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command -
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
    Filesize

    939KB

    MD5

    bec9b4e7943863ac7cd194c47ff11157

    SHA1

    6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99

    SHA256

    110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1

    SHA512

    e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

    Download Submit

  • C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
    Filesize

    939KB

    MD5

    bec9b4e7943863ac7cd194c47ff11157

    SHA1

    6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99

    SHA256

    110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1

    SHA512

    e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

    Download Submit

  • C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
    Filesize

    939KB

    MD5

    bec9b4e7943863ac7cd194c47ff11157

    SHA1

    6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99

    SHA256

    110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1

    SHA512

    e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SROF4OFQQ6OFVV9VXETC.temp
    Filesize

    7KB

    MD5

    1b4ee89979da762a7f42a3a258d3235a

    SHA1

    6e2a8939403646e4896c6d0995b7208325230e5b

    SHA256

    53c25b59c3d47a631ace32aa8be4be321c9a9099971244fb3b5657faff28e53c

    SHA512

    6c00cf56a86c31d9683f95b1d28da2d336a12e9758dcaffa38a82f3b530488d245a2d6503e2757cf98226798dafb40e5cb6d595dfdcdb8ce1401874d0edfb5ff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    1b4ee89979da762a7f42a3a258d3235a

    SHA1

    6e2a8939403646e4896c6d0995b7208325230e5b

    SHA256

    53c25b59c3d47a631ace32aa8be4be321c9a9099971244fb3b5657faff28e53c

    SHA512

    6c00cf56a86c31d9683f95b1d28da2d336a12e9758dcaffa38a82f3b530488d245a2d6503e2757cf98226798dafb40e5cb6d595dfdcdb8ce1401874d0edfb5ff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    029dd733080b6b0624281b76a15b8468

    SHA1

    96e29a2fc02e27a5005ff61be54247829b6be099

    SHA256

    abcdcda56576360c1fe2e7cd3599c8e2105a22d21734289965f62a76aaad6e29

    SHA512

    38cdd2ffefb20713b8c94fba80e79d123e401ac621edae09391a7a4bc0c08749407999e1c0c9b78288131d95c0c8b292fe3bef5969c637939daff94886d4e1c0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    029dd733080b6b0624281b76a15b8468

    SHA1

    96e29a2fc02e27a5005ff61be54247829b6be099

    SHA256

    abcdcda56576360c1fe2e7cd3599c8e2105a22d21734289965f62a76aaad6e29

    SHA512

    38cdd2ffefb20713b8c94fba80e79d123e401ac621edae09391a7a4bc0c08749407999e1c0c9b78288131d95c0c8b292fe3bef5969c637939daff94886d4e1c0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    1b4ee89979da762a7f42a3a258d3235a

    SHA1

    6e2a8939403646e4896c6d0995b7208325230e5b

    SHA256

    53c25b59c3d47a631ace32aa8be4be321c9a9099971244fb3b5657faff28e53c

    SHA512

    6c00cf56a86c31d9683f95b1d28da2d336a12e9758dcaffa38a82f3b530488d245a2d6503e2757cf98226798dafb40e5cb6d595dfdcdb8ce1401874d0edfb5ff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    1b4ee89979da762a7f42a3a258d3235a

    SHA1

    6e2a8939403646e4896c6d0995b7208325230e5b

    SHA256

    53c25b59c3d47a631ace32aa8be4be321c9a9099971244fb3b5657faff28e53c

    SHA512

    6c00cf56a86c31d9683f95b1d28da2d336a12e9758dcaffa38a82f3b530488d245a2d6503e2757cf98226798dafb40e5cb6d595dfdcdb8ce1401874d0edfb5ff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    029dd733080b6b0624281b76a15b8468

    SHA1

    96e29a2fc02e27a5005ff61be54247829b6be099

    SHA256

    abcdcda56576360c1fe2e7cd3599c8e2105a22d21734289965f62a76aaad6e29

    SHA512

    38cdd2ffefb20713b8c94fba80e79d123e401ac621edae09391a7a4bc0c08749407999e1c0c9b78288131d95c0c8b292fe3bef5969c637939daff94886d4e1c0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    029dd733080b6b0624281b76a15b8468

    SHA1

    96e29a2fc02e27a5005ff61be54247829b6be099

    SHA256

    abcdcda56576360c1fe2e7cd3599c8e2105a22d21734289965f62a76aaad6e29

    SHA512

    38cdd2ffefb20713b8c94fba80e79d123e401ac621edae09391a7a4bc0c08749407999e1c0c9b78288131d95c0c8b292fe3bef5969c637939daff94886d4e1c0

    Download Submit

  • C:\Users\Default\Desktop\athletes.exe
    Filesize

    939KB

    MD5

    bec9b4e7943863ac7cd194c47ff11157

    SHA1

    6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99

    SHA256

    110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1

    SHA512

    e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

    Download Submit

  • \Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
    Filesize

    939KB

    MD5

    bec9b4e7943863ac7cd194c47ff11157

    SHA1

    6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99

    SHA256

    110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1

    SHA512

    e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

    Download Submit

  • memory/268-52-0x0000000002810000-0x0000000002850000-memory.dmp

    Filesize

    256KB

    Download

  • memory/268-51-0x00000000730F0000-0x000000007369B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/268-48-0x0000000002810000-0x0000000002850000-memory.dmp

    Filesize

    256KB

    Download

  • memory/268-49-0x0000000002810000-0x0000000002850000-memory.dmp

    Filesize

    256KB

    Download

  • memory/268-47-0x0000000002810000-0x0000000002850000-memory.dmp

    Filesize

    256KB

    Download

  • memory/268-46-0x00000000730F0000-0x000000007369B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/268-45-0x00000000730F0000-0x000000007369B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/268-53-0x0000000002810000-0x0000000002850000-memory.dmp

    Filesize

    256KB

    Download

  • memory/268-54-0x0000000002810000-0x0000000002850000-memory.dmp

    Filesize

    256KB

    Download

  • memory/932-93-0x0000000004140000-0x0000000004141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-90-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/932-171-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/932-170-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/932-169-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/932-166-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/932-161-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/932-155-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/932-145-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/932-143-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/932-127-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/932-113-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/932-98-0x00000000040E0000-0x00000000040E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-96-0x0000000004110000-0x0000000004112000-memory.dmp

    Filesize

    8KB

    Download

  • memory/932-97-0x0000000004160000-0x0000000004161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-95-0x0000000004100000-0x0000000004101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-94-0x00000000040D0000-0x00000000040D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-92-0x0000000004130000-0x0000000004131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-91-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-73-0x00000000047E0000-0x00000000048E0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1596-3-0x0000000004130000-0x0000000004131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1596-34-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-55-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-13-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-1-0x00000000771F0000-0x00000000771F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1596-2-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-4-0x0000000004110000-0x0000000004112000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1596-5-0x0000000004140000-0x0000000004141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1596-6-0x00000000040D0000-0x00000000040D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1596-7-0x0000000004100000-0x0000000004101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1596-67-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-20-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-0-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-50-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-74-0x00000000047E0000-0x00000000048E0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1596-16-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-75-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1596-10-0x0000000004160000-0x0000000004161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1596-88-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-87-0x00000000055D0000-0x00000000057CF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-9-0x00000000040E0000-0x00000000040E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1596-8-0x0000000004150000-0x0000000004151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1596-89-0x00000000047E0000-0x00000000048E0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1816-64-0x0000000002700000-0x0000000002740000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1816-69-0x0000000002700000-0x0000000002740000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1816-65-0x0000000073C10000-0x00000000741BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1816-62-0x0000000002700000-0x0000000002740000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1816-68-0x0000000002700000-0x0000000002740000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1816-63-0x0000000002700000-0x0000000002740000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1816-61-0x0000000073C10000-0x00000000741BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1816-66-0x0000000073C10000-0x00000000741BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1816-70-0x0000000002700000-0x0000000002740000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2108-106-0x0000000002620000-0x0000000002660000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2108-105-0x00000000730F0000-0x000000007369B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2108-107-0x00000000730F0000-0x000000007369B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2500-31-0x0000000002260000-0x00000000022A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2500-30-0x0000000072B40000-0x00000000730EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2500-35-0x0000000072B40000-0x00000000730EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2500-36-0x0000000002260000-0x00000000022A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2500-38-0x0000000002260000-0x00000000022A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2500-32-0x0000000002260000-0x00000000022A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2500-29-0x0000000072B40000-0x00000000730EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2500-33-0x0000000002260000-0x00000000022A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2500-37-0x0000000002260000-0x00000000022A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2676-21-0x00000000730F0000-0x000000007369B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2676-17-0x0000000002440000-0x0000000002480000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2676-23-0x0000000002440000-0x0000000002480000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2676-14-0x00000000730F0000-0x000000007369B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2676-22-0x0000000002440000-0x0000000002480000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2676-19-0x0000000002440000-0x0000000002480000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2676-18-0x0000000002440000-0x0000000002480000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2676-15-0x00000000730F0000-0x000000007369B000-memory.dmp

    Filesize

    5.7MB

    Download