1d61f61df5de462749d36797f4e5a3f6a4b95fdf132a363e0276bfd59643fd45

Analysis

max time kernel
92s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UCK.exe
Size

71.1MB
MD5

acbf08778a592b1df8bf580523318b15
SHA1

0f2ad175ce7f268bd94da842b822b5694c184375
SHA256

1d61f61df5de462749d36797f4e5a3f6a4b95fdf132a363e0276bfd59643fd45
SHA512

e6e3373d21eb404b43839537a43f3eda63a9cf01f19db6bc799ce3388b80ee11c6ae17af6c89432576ac5eef69240a35a0cbfb83a9514ac0ef1ad290a5baf0e1
SSDEEP

1572864:zuaCjxMgp23PnpSRxxhaz/+df11/GgzBGQIj5Oi:ia+9unkRxDw/Mf/pBGRj5

Score

10^/10

discovery evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	UCK.exe

Executes dropped EXE 2 IoCs

pid	Process
1060	QQSetupEx.exe
388	win32-67-quickq.exe

Loads dropped DLL 4 IoCs

pid	Process
1060	QQSetupEx.exe
388	win32-67-quickq.exe
388	win32-67-quickq.exe
388	win32-67-quickq.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1300-1-0x0000000180000000-0x00000001801CE000-memory.dmp	upx
behavioral2/memory/1300-3-0x0000000180000000-0x00000001801CE000-memory.dmp	upx
behavioral2/memory/1300-6-0x0000000180000000-0x00000001801CE000-memory.dmp	upx
behavioral2/memory/1300-5-0x0000000180000000-0x00000001801CE000-memory.dmp	upx
behavioral2/memory/1300-4-0x0000000180000000-0x00000001801CE000-memory.dmp	upx
behavioral2/memory/1300-2-0x0000000180000000-0x00000001801CE000-memory.dmp	upx
behavioral2/memory/1300-21-0x0000000180000000-0x00000001801CE000-memory.dmp	upx
behavioral2/memory/1300-38-0x0000000180000000-0x00000001801CE000-memory.dmp	upx

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	QQSetupEx.exe
File opened (read-only)	\??\X:	QQSetupEx.exe
File opened (read-only)	\??\J:	QQSetupEx.exe
File opened (read-only)	\??\M:	QQSetupEx.exe
File opened (read-only)	\??\R:	QQSetupEx.exe
File opened (read-only)	\??\S:	QQSetupEx.exe
File opened (read-only)	\??\H:	QQSetupEx.exe
File opened (read-only)	\??\P:	QQSetupEx.exe
File opened (read-only)	\??\Q:	QQSetupEx.exe
File opened (read-only)	\??\U:	QQSetupEx.exe
File opened (read-only)	\??\W:	QQSetupEx.exe
File opened (read-only)	\??\Z:	QQSetupEx.exe
File opened (read-only)	\??\E:	QQSetupEx.exe
File opened (read-only)	\??\K:	QQSetupEx.exe
File opened (read-only)	\??\L:	QQSetupEx.exe
File opened (read-only)	\??\T:	QQSetupEx.exe
File opened (read-only)	\??\O:	QQSetupEx.exe
File opened (read-only)	\??\Y:	QQSetupEx.exe
File opened (read-only)	\??\B:	QQSetupEx.exe
File opened (read-only)	\??\G:	QQSetupEx.exe
File opened (read-only)	\??\I:	QQSetupEx.exe
File opened (read-only)	\??\N:	QQSetupEx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32-67-quickq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQSetupEx.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QQSetupEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	QQSetupEx.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2856	ipconfig.exe
2372	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	UCK.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1060	QQSetupEx.exe
1060	QQSetupEx.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2560	mmc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1300	UCK.exe
Token: 33	2988	mmc.exe
Token: SeIncBasePriorityPrivilege	2988	mmc.exe
Token: 33	2988	mmc.exe
Token: SeIncBasePriorityPrivilege	2988	mmc.exe
Token: SeShutdownPrivilege	1060	QQSetupEx.exe
Token: 33	2560	mmc.exe
Token: SeIncBasePriorityPrivilege	2560	mmc.exe
Token: 33	2560	mmc.exe
Token: SeIncBasePriorityPrivilege	2560	mmc.exe
Token: SeDebugPrivilege	1060	QQSetupEx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1300	UCK.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1300	UCK.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1300	UCK.exe
1300	UCK.exe
2988	mmc.exe
2988	mmc.exe
1060	QQSetupEx.exe
2560	mmc.exe
2560	mmc.exe
388	win32-67-quickq.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1908	1300	UCK.exe	82
PID 1300 wrote to memory of 1908	1300	UCK.exe	82
PID 1908 wrote to memory of 2856	1908	cmd.exe	84
PID 1908 wrote to memory of 2856	1908	cmd.exe	84
PID 1300 wrote to memory of 2776	1300	UCK.exe	85
PID 1300 wrote to memory of 2776	1300	UCK.exe	85
PID 1300 wrote to memory of 4868	1300	UCK.exe	92
PID 1300 wrote to memory of 4868	1300	UCK.exe	92
PID 4868 wrote to memory of 4220	4868	cmd.exe	94
PID 4868 wrote to memory of 4220	4868	cmd.exe	94
PID 4868 wrote to memory of 1936	4868	cmd.exe	95
PID 4868 wrote to memory of 1936	4868	cmd.exe	95
PID 4868 wrote to memory of 216	4868	cmd.exe	96
PID 4868 wrote to memory of 216	4868	cmd.exe	96
PID 1300 wrote to memory of 2476	1300	UCK.exe	99
PID 1300 wrote to memory of 2476	1300	UCK.exe	99
PID 2988 wrote to memory of 1060	2988	mmc.exe	102
PID 2988 wrote to memory of 1060	2988	mmc.exe	102
PID 2988 wrote to memory of 1060	2988	mmc.exe	102
PID 2560 wrote to memory of 388	2560	mmc.exe	105
PID 2560 wrote to memory of 388	2560	mmc.exe	105
PID 2560 wrote to memory of 388	2560	mmc.exe	105
PID 1060 wrote to memory of 1800	1060	QQSetupEx.exe	106
PID 1060 wrote to memory of 1800	1060	QQSetupEx.exe	106
PID 1060 wrote to memory of 1800	1060	QQSetupEx.exe	106
PID 1800 wrote to memory of 2372	1800	cmd.exe	108
PID 1800 wrote to memory of 2372	1800	cmd.exe	108
PID 1800 wrote to memory of 2372	1800	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\UCK.exe
"C:\Users\Admin\AppData\Local\Temp\UCK.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2856
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" -f C:\ProgramData\bV8ir.xml
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\6Z38q.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:4220
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:1936
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\7NUTf\2oET7@m8\v+C:\ProgramData\7NUTf\2oET7@m8\b C:\ProgramData\7NUTf\2oET7@m8\arkHttpClient.dll
  2⤵
  PID:2476

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\ProgramData\7NUTf\2oET7@m8\QQSetupEx.exe
  "C:\ProgramData\7NUTf\2oET7@m8\QQSetupEx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2372

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560
- C:\ProgramData\win32-67-quickq.exe
  "C:\ProgramData\win32-67-quickq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\7NUTf\2oET7@m8\PX.txt

Filesize
179KB

MD5
ab080ca060a511b27d17ffc10321ff6f

SHA1
c1ca1c99aa43f76507311b0e6c6234aaf45c2c6a

SHA256
08a7d990ce859e76c26e7eae7468ed40e94dd56dbe6fc41819b63df37369bf54

SHA512
43280abcb5b8cf9b9b93f4b9e042691d241d670394072f1c14b57862c008cb6bc88547748758d5304fbe7d9093df30022cb90f45eb6481e31af882630e3afdac

Download Submit
C:\ProgramData\7NUTf\2oET7@m8\QQSetupEx.exe

Filesize
446KB

MD5
9efa9e12deac9f6fa48bc031e4300dad

SHA1
7870326380768cf2cf9114c5d5b8b61fd5fba616

SHA256
1849ecf1956e8b01949ba5eac8ef1255cfcdb62be43dc0d574d2ea3dc1c8eee8

SHA512
3de2c0d96cf4fd7312b872c9c9f135a022daa11a9e5c7c924137c9bd4c0e787ff9492b6164288635bfa9d39dc49e04a5b1bb67501fc56d2422d9da95218eaf40

Download Submit
C:\ProgramData\7NUTf\2oET7@m8\arkHTTPClient.dll

Filesize
1.9MB

MD5
3f8ddf5bcf23fedb2bc64001b85ae97e

SHA1
6941d2c330ad73eb3d3b6a5a31a970f540547bfa

SHA256
c795b9d60652428e17659c318a77f7cd571071ac6b2104896683351a6e57b014

SHA512
364be123eed2e2f5485f79595afc045fd4cdfb80f858cf2b156a0a7e200796d890c1020392a0eef1829584165967b14021cb1d925efff196e978c0e6ae6041ca

Download Submit
C:\ProgramData\7NUTf\2oET7@m8\b

Filesize
992KB

MD5
89f8faba45e4e133870d7611c501e107

SHA1
6e026c4f7c9485b419c28dbb0197bd7f0ebe66de

SHA256
6ecea72a4ec39d7ab38f1355257e135c7fc3edb0486f23ef322efca169f463bc

SHA512
e489fe4942e6f1c80d174d1b2b554c519fa140e38b5e6c8305a33d45db40ec3d3106bd80ad61e3dae9ec5ba17be8a0dc4856155329358a507d5977fcf0d8b792

Download Submit
C:\ProgramData\7NUTf\2oET7@m8\v

Filesize
992KB

MD5
91fb7b996d03374429eaabb1416df04c

SHA1
fcc731d34cae911766f6585ccdbe80d2387ebe58

SHA256
06bc181a28fd582660789e181ed29f39a495f583393c5cc39b158fa27a4437b2

SHA512
af6b171f01dc940407f5fee60cd02d6d3423ed2b01deddf6fd50616b3269f663647d25a6ccd46470a8675c97dc97c215ccabfe0e0af2a76eb312570161d6a546

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbF04C.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbF04C.tmp\LangDLL.dll

Filesize
5KB

MD5
77ff758c10c66937de6d86c388aa431c

SHA1
14bd5628eaf8a12b55cd38f9560c839cb21ce77a

SHA256
6a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008

SHA512
319837951be276a179ead69efcd24bd7566061abc7997ea782af50bd4b0d69e5ec1a6e4cdeb2825bafedf87edf03380396b7bcf58682b6a3a824c8dc4b966bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbF04C.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbF04C.tmp\ioSpecial.ini

Filesize
392B

MD5
b4b3d5baebf3620b6300bdd6595f14fc

SHA1
c6b62d2be190874847ce55f0de6eb1bff92848a9

SHA256
52c2285ade23533b1cb0e703fc2f2eb782cb3bbd62e402b299d413d1fe4fef2f

SHA512
ac6ca9fcecb69a3bd98f40656af2227346b41bead5d7ce3c6168b1a63e1014e5419f1aafa7555f5cfa911cd8d3b62add9dec987ff41ca2c209d80bc4663c35e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbF04C.tmp\ioSpecial.ini

Filesize
679B

MD5
825045320132b8f3b4a30966a89af539

SHA1
18f12166b3c7708921fc2a5157da497a399b0d30

SHA256
c282061d4ec9248c15909c5c45cd0c29b777eedf113dc32c8ba5dafcd2128845

SHA512
1b67ab59932b348101549826a77b8dd0670d599ae8e21d6b494a441e666becbace674ff75370387712a391a2a62999c89fcd36ed69e6bc9220cac9ae22abacda

Download Submit
C:\Users\Admin\AppData\Roaming\6Z38q.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
memory/1060-125-0x0000000002BF0000-0x0000000002C59000-memory.dmp

Filesize
420KB

Download
memory/1060-129-0x0000000002BF0000-0x0000000002C59000-memory.dmp

Filesize
420KB

Download
memory/1060-27-0x0000000002BF0000-0x0000000002C59000-memory.dmp

Filesize
420KB

Download
memory/1060-29-0x0000000002BF0000-0x0000000002C59000-memory.dmp

Filesize
420KB

Download
memory/1060-28-0x0000000002BF0000-0x0000000002C59000-memory.dmp

Filesize
420KB

Download
memory/1060-31-0x0000000002BF0000-0x0000000002C59000-memory.dmp

Filesize
420KB

Download
memory/1060-128-0x0000000002BF0000-0x0000000002C59000-memory.dmp

Filesize
420KB

Download
memory/1060-126-0x0000000002BF0000-0x0000000002C59000-memory.dmp

Filesize
420KB

Download
memory/1060-127-0x0000000002BF0000-0x0000000002C59000-memory.dmp

Filesize
420KB

Download
memory/1300-4-0x0000000180000000-0x00000001801CE000-memory.dmp

Filesize
1.8MB

Download
memory/1300-1-0x0000000180000000-0x00000001801CE000-memory.dmp

Filesize
1.8MB

Download
memory/1300-3-0x0000000180000000-0x00000001801CE000-memory.dmp

Filesize
1.8MB

Download
memory/1300-6-0x0000000180000000-0x00000001801CE000-memory.dmp

Filesize
1.8MB

Download
memory/1300-5-0x0000000180000000-0x00000001801CE000-memory.dmp

Filesize
1.8MB

Download
memory/1300-21-0x0000000180000000-0x00000001801CE000-memory.dmp

Filesize
1.8MB

Download
memory/1300-38-0x0000000180000000-0x00000001801CE000-memory.dmp

Filesize
1.8MB

Download
memory/1300-2-0x0000000180000000-0x00000001801CE000-memory.dmp

Filesize
1.8MB

Download