redline | c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9

Analysis

max time kernel
71s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2023, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9.exe
Size

674KB
MD5

1c6116876bc65110f636152e7c3f96d0
SHA1

c0f5eb24c8ee45855a3d8ce836a69f00dba3bb92
SHA256

c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9
SHA512

d45c11ccb242673ade1043bbd4b18d489ae6fe8050f1362cca9426c3553002502cb33efd20b7e4facc685aa5fd9e84b1d990e190c285376186c9df9b4c8d2323
SSDEEP

12288:NMr8y90kirm95eshgvDYV28aDX43KUxEvuBuXL427jmd2mCPwd:Ny9i695eOYDYlat8C42gJd

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1899.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro1899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1899.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/4872-190-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-191-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-193-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-195-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-197-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-199-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-201-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-203-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-205-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-207-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-209-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-211-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-213-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-215-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-217-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-219-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-221-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-223-0x0000000006880000-0x00000000068BF000-memory.dmp	family_redline
behavioral1/memory/4872-236-0x0000000006990000-0x00000000069A0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3844	un106765.exe
452	pro1899.exe
4872	qu2615.exe
4464	si611293.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1899.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un106765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un106765.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1096	452	WerFault.exe	85
1656	4872	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
452	pro1899.exe
452	pro1899.exe
4872	qu2615.exe
4872	qu2615.exe
4464	si611293.exe
4464	si611293.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	452	pro1899.exe
Token: SeDebugPrivilege	4872	qu2615.exe
Token: SeDebugPrivilege	4464	si611293.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 3844	4676	c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9.exe	84
PID 4676 wrote to memory of 3844	4676	c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9.exe	84
PID 4676 wrote to memory of 3844	4676	c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9.exe	84
PID 3844 wrote to memory of 452	3844	un106765.exe	85
PID 3844 wrote to memory of 452	3844	un106765.exe	85
PID 3844 wrote to memory of 452	3844	un106765.exe	85
PID 3844 wrote to memory of 4872	3844	un106765.exe	91
PID 3844 wrote to memory of 4872	3844	un106765.exe	91
PID 3844 wrote to memory of 4872	3844	un106765.exe	91
PID 4676 wrote to memory of 4464	4676	c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9.exe	95
PID 4676 wrote to memory of 4464	4676	c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9.exe	95
PID 4676 wrote to memory of 4464	4676	c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9.exe	95

C:\Users\Admin\AppData\Local\Temp\c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9.exe
"C:\Users\Admin\AppData\Local\Temp\c50bb5418cd3c3501301166fa96f2439c7da4847d760fb84be89e77611a3e8d9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un106765.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un106765.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1899.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1899.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 1088
      4⤵
      Program crash
      PID:1096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2615.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2615.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1604
      4⤵
      Program crash
      PID:1656
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si611293.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si611293.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 452 -ip 452
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4872 -ip 4872
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si611293.exe

Filesize
176KB

MD5
eca5c1068dd6813d78982181db3f2e24

SHA1
876d820bdf406f30d8f0be34c6e7210da253d0b4

SHA256
da56caa9ac8c71f941fdc82004353740caf3f0ac675a3c5b0eb6fec15ee55c8c

SHA512
a6bc73aeddc743ee8906a899f2a0eab34734527c78b1799a064d3f7db16d313f3d59289b1dfe673bb3859eeac8e74032529e120777951515e36668c6c550a08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si611293.exe

Filesize
176KB

MD5
eca5c1068dd6813d78982181db3f2e24

SHA1
876d820bdf406f30d8f0be34c6e7210da253d0b4

SHA256
da56caa9ac8c71f941fdc82004353740caf3f0ac675a3c5b0eb6fec15ee55c8c

SHA512
a6bc73aeddc743ee8906a899f2a0eab34734527c78b1799a064d3f7db16d313f3d59289b1dfe673bb3859eeac8e74032529e120777951515e36668c6c550a08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un106765.exe

Filesize
533KB

MD5
599480eb15af99aee8da1f726e929299

SHA1
c4d6ac8ae1be07a2830d92b8ee312ad8b2ab4af9

SHA256
4db8cea578cdab54fa3a1be0e8483e282644d1bc5382daf002e0289c4036916e

SHA512
8272e4fbe9a77a4487e81b64e770b581829d2b25fcc087b8c4a85d51cb9bcfc2d847f69d4f3be734ae7375e4f6403b37b8756886bcddcadd51dd8e6b59e88b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un106765.exe

Filesize
533KB

MD5
599480eb15af99aee8da1f726e929299

SHA1
c4d6ac8ae1be07a2830d92b8ee312ad8b2ab4af9

SHA256
4db8cea578cdab54fa3a1be0e8483e282644d1bc5382daf002e0289c4036916e

SHA512
8272e4fbe9a77a4487e81b64e770b581829d2b25fcc087b8c4a85d51cb9bcfc2d847f69d4f3be734ae7375e4f6403b37b8756886bcddcadd51dd8e6b59e88b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1899.exe

Filesize
376KB

MD5
d9ba7ac5a748adc88051e0e64c6d33ad

SHA1
ec58cba05eed9503fd705c48d118a363f33788e1

SHA256
702fd16f710fb3ee477364d1e3a9109b4cbe598588e0b2dab7e585d358b23cd1

SHA512
2542daf1f20591af5b9ba76adb5886a463cbc104e851b0ad845f79d90b4e6dd87b3c29825f8a5f4bb55068d995b16304bc291b59707c4b057f192067f40c6a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1899.exe

Filesize
376KB

MD5
d9ba7ac5a748adc88051e0e64c6d33ad

SHA1
ec58cba05eed9503fd705c48d118a363f33788e1

SHA256
702fd16f710fb3ee477364d1e3a9109b4cbe598588e0b2dab7e585d358b23cd1

SHA512
2542daf1f20591af5b9ba76adb5886a463cbc104e851b0ad845f79d90b4e6dd87b3c29825f8a5f4bb55068d995b16304bc291b59707c4b057f192067f40c6a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2615.exe

Filesize
435KB

MD5
6e505b11a03d7d92526cab01cd619bbb

SHA1
bf66db2046877a4ca592a6d10a10de819f23a3af

SHA256
92423c7860f0ee82e33a399c28c380683bc84ae752045b4a0178ee2c4ecf7d0c

SHA512
89edf8111f5e14d0f0e3ea583f9705c9ba2841722ff8994835960b1dd8cafdcbc2ff704839686c448bfa2c176c8e39dcb2bcd5052d6709cc6474bc9898ea918e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2615.exe

Filesize
435KB

MD5
6e505b11a03d7d92526cab01cd619bbb

SHA1
bf66db2046877a4ca592a6d10a10de819f23a3af

SHA256
92423c7860f0ee82e33a399c28c380683bc84ae752045b4a0178ee2c4ecf7d0c

SHA512
89edf8111f5e14d0f0e3ea583f9705c9ba2841722ff8994835960b1dd8cafdcbc2ff704839686c448bfa2c176c8e39dcb2bcd5052d6709cc6474bc9898ea918e

Download Submit
memory/452-148-0x0000000004BD0000-0x0000000005174000-memory.dmp

Filesize
5.6MB

Download
memory/452-149-0x0000000002200000-0x000000000222D000-memory.dmp

Filesize
180KB

Download
memory/452-150-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/452-151-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/452-152-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/452-153-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-154-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-158-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-156-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-160-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-162-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-164-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-166-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-168-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-170-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-172-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-174-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-176-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-178-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-180-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/452-181-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/452-182-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/452-183-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/452-185-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/4464-1120-0x0000000000A70000-0x0000000000AA2000-memory.dmp

Filesize
200KB

Download
memory/4464-1121-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/4872-191-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-231-0x00000000023A0000-0x00000000023EB000-memory.dmp

Filesize
300KB

Download
memory/4872-195-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-197-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-199-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-201-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-203-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-205-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-207-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-209-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-211-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-213-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-215-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-217-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-219-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-221-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-223-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-193-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-232-0x0000000006990000-0x00000000069A0000-memory.dmp

Filesize
64KB

Download
memory/4872-236-0x0000000006990000-0x00000000069A0000-memory.dmp

Filesize
64KB

Download
memory/4872-234-0x0000000006990000-0x00000000069A0000-memory.dmp

Filesize
64KB

Download
memory/4872-1100-0x0000000007050000-0x0000000007668000-memory.dmp

Filesize
6.1MB

Download
memory/4872-1101-0x00000000076C0000-0x00000000077CA000-memory.dmp

Filesize
1.0MB

Download
memory/4872-1102-0x0000000007800000-0x0000000007812000-memory.dmp

Filesize
72KB

Download
memory/4872-1103-0x0000000007820000-0x000000000785C000-memory.dmp

Filesize
240KB

Download
memory/4872-1104-0x0000000006990000-0x00000000069A0000-memory.dmp

Filesize
64KB

Download
memory/4872-1105-0x0000000007B10000-0x0000000007BA2000-memory.dmp

Filesize
584KB

Download
memory/4872-1106-0x0000000007BB0000-0x0000000007C16000-memory.dmp

Filesize
408KB

Download
memory/4872-1108-0x0000000006990000-0x00000000069A0000-memory.dmp

Filesize
64KB

Download
memory/4872-1109-0x0000000006990000-0x00000000069A0000-memory.dmp

Filesize
64KB

Download
memory/4872-1110-0x0000000008510000-0x0000000008586000-memory.dmp

Filesize
472KB

Download
memory/4872-1111-0x00000000085A0000-0x00000000085F0000-memory.dmp

Filesize
320KB

Download
memory/4872-190-0x0000000006880000-0x00000000068BF000-memory.dmp

Filesize
252KB

Download
memory/4872-1112-0x0000000006990000-0x00000000069A0000-memory.dmp

Filesize
64KB

Download
memory/4872-1113-0x0000000008770000-0x0000000008932000-memory.dmp

Filesize
1.8MB

Download
memory/4872-1114-0x0000000008940000-0x0000000008E6C000-memory.dmp

Filesize
5.2MB

Download