Analysis
-
max time kernel
117s -
max time network
107s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
07-09-2024 02:03
General
-
Target
7f604c1ca06db7206f1699e6d908a7a0N.exe
-
Size
4.9MB
-
MD5
7f604c1ca06db7206f1699e6d908a7a0
-
SHA1
ba7e4204908407f64ce41d867a312b970c450ca3
-
SHA256
057029b10fb991791435ba26d2715749bad8114beb7652132c0e8471d0200d11
-
SHA512
04ac0f43e282eecaedd7ca0012469145269780ff54b792d511f025851df0974ad1ae568a22e80e78e5b444431e9ebea60e3dcb77a0c9233faee7b758d5354ee8
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 30 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 9 IoCs
-
Checks whether UAC is enabled 1 TTPs 20 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f604c1ca06db7206f1699e6d908a7a0N.exe"C:\Users\Admin\AppData\Local\Temp\7f604c1ca06db7206f1699e6d908a7a0N.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8d91631-e2cb-4ac2-b181-d5be62a16d18.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\040877dc-298f-4ce9-8f1f-ade626c97b95.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4bee5e4-8cb6-4c14-9ff3-eec46eac46fa.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97583e94-2ef0-4e0d-b385-4ef1a284b3ec.vbs"9⤵
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aed2523e-addd-4f46-9a5f-aeff0db20649.vbs"11⤵
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68f8b6d5-38b0-4acc-ad05-745f93d3f4c5.vbs"13⤵
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7feb12d7-a0eb-4de1-bd5a-1ac0934d4828.vbs"15⤵
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad565cd0-f24b-45c8-af02-20f6c5a3124a.vbs"17⤵
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43a39bf1-cfce-4118-854f-a1c8ec6b6f67.vbs"19⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad14eb07-1c2e-4dd3-9999-1202d25fbd78.vbs"19⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a9a2831-df15-4d9c-bc1d-6b91e0349e39.vbs"17⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7624806-a6fa-48ac-8c70-cc3832ce89d1.vbs"15⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\151b0795-4892-42c1-8e8c-da56b07b9481.vbs"13⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e53e8634-eb02-4bee-bf8c-e596d76c865d.vbs"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85d7e246-0aaa-4a86-825d-a6e9a2851f56.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a320e536-147a-46b9-8113-3a8df3f1a245.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1378ef74-7c39-40e8-90de-906feac8ef43.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef0e2f00-efb0-414b-967d-0391534306ae.vbs"3⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7f604c1ca06db7206f1699e6d908a7a0N7" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\7f604c1ca06db7206f1699e6d908a7a0N.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7f604c1ca06db7206f1699e6d908a7a0N" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\7f604c1ca06db7206f1699e6d908a7a0N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7f604c1ca06db7206f1699e6d908a7a0N7" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\7f604c1ca06db7206f1699e6d908a7a0N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD57f604c1ca06db7206f1699e6d908a7a0
SHA1ba7e4204908407f64ce41d867a312b970c450ca3
SHA256057029b10fb991791435ba26d2715749bad8114beb7652132c0e8471d0200d11
SHA51204ac0f43e282eecaedd7ca0012469145269780ff54b792d511f025851df0974ad1ae568a22e80e78e5b444431e9ebea60e3dcb77a0c9233faee7b758d5354ee8
-
Filesize
721B
MD5911cbbe5afc2b3ef61c0d0938d1f8c5d
SHA15279e1de52966d276520e3438fea5c8c48096871
SHA256a694fc982717d196db18b28e36c6fa1540ec3ad3518d81b8151f8afeeab067c4
SHA512986c30918da33ba343cda71d17ea934150cb486870cdb4a766a09c73d775e119238389d53d44596f225cda9dc83988838ec34a63e62de3caf037041f509f6fbe
-
Filesize
721B
MD58c7cddac1a8ad3ea0621ed1af9a94cb6
SHA19f181d2b109b4d86dc893a0c782d2d6492b10560
SHA25697842d3d1ca2637e180547fd9deecfcae69974130a18275bc6be088d100e9e87
SHA5128753f8c29e4fc9cb920b368623f4bc94bbcc9c9f37371b82cad8c696401a6c0478d3f7d3daacda0675c741b279b6bcff576564ab50f5f15c3e3125c34a547e2a
-
Filesize
721B
MD5f09fd47e2fa23b9424ade25a6718e182
SHA1fd1b0991f3cf07dc558c03e569583706fafc9ed3
SHA256d70d0a34dc805f4b9adfde7a11a821ac67c48f0b727a4b7481f6bc06b2784089
SHA512c35e00fceb2a4be66f59c271f76c0d0b8fffee5ecde04e86518346ea4fa58b134f0d1392e7b3143e01dd5b794dabc3844c0f21e0690048cce1db858f8463903e
-
Filesize
721B
MD51a9e1a6f28c2c94542ba8d643ea14f4e
SHA1da77784d6102fd8cdc8280b0b8fcd09775ff5f2b
SHA256b02e1a3afe75475d18dfdd61b2c0fffa11f0a6b46c438c5296e0c243e4332b3a
SHA512099e55ab0779f668aac4eb86e6f49b15e3f9d4877631840c40c2169b251dd6d7e8d4af1a2dd91db23ea7c163dac1d897df8935fb060f719990fd981fcb2cb5e0
-
Filesize
721B
MD522ac627b79cebc869e32b556d8894b81
SHA19b509f428ead031970d1f0427717ba7037880693
SHA256a4ef8c9f667d1a7953cb92f837aa36d7de16cd06ebc78d6f0da0421b7a184fd9
SHA51225e26e1f140611792f44ba42ad2e37c484b67801a37dae7f60b19d97f163832a6bc49d33b8ca23267934ea0e19144913f7e54aad86624d3b699620ce8200f263
-
Filesize
721B
MD5ad70c94fce582757acb42906335f1013
SHA1f89c954019fda9573fdd0dd419801bb4ab382041
SHA2563f5f35724a3b45c5b71739f451957e26e7a88c562d91768d8ca1eec0414a92ba
SHA51218d1dfacb5f7292ebe0596d99e73f299d900f60914f1c02dddc87e02335bf5ede74ecc2a7caaab318e30fcd4b63c2a5ee2045909180933b358f6832496fe379d
-
Filesize
721B
MD5e2f2045f1025e76ab4a700a7a03569c9
SHA1cbe86c96482f3ed37bc1854b9eeef76aa07a2558
SHA256eef398e8a113c5bf9b6c21c4d2310d80f8ea89bd40a8e82aa7483ba677d24260
SHA5121277746d859002d151924e73cf61cac4b6addf8013133e489225b7d37bbdebebc0c3ecf894bd75009d058377dfd2ea31613bc020ba7afda37acb37788548bdc1
-
Filesize
721B
MD5403ef7e87fe384dceb6605e6b0e6ae8a
SHA1604f038ea5c8efc7545dfe095899d023c38a78fa
SHA256ee6a4083af6cf393881c48896d3854fd9aaa71d4b263089491b8d78fab3c095b
SHA51216592e5aec4720aaf08879c74697ba961240f4dce14f28426ad100e3faa10f9e3ce123b9d592e16a036b9fe38519e7193eb485fc2c3728955d3b087806ca0f75
-
Filesize
720B
MD50abece08a219d238c1deb0eb036d9d0e
SHA11665ad3e6b4a7de43efa6929e5b5f4846508c3f6
SHA256f59e0b51631aee8238a944febdaf4b02c689f141c50df52f855cb5ddde005944
SHA5123e4cdc402ae41a3062c0448727762f2eea4055cb4018e4389908ad93600b5bf3445b6fe9df3a1d1c8567c8b299add5c8154504f876cca15c4e30f0b16b19a363
-
Filesize
497B
MD5dc030e078e5c67b63f5b4b8fb36f508e
SHA10d1ec33ad67b25e84de18d74b6b2b977080a4a3f
SHA256d8e2212b874514bb06629c043003496f5845e4ee58ba2b2d799426d8bd6e4703
SHA51289e957bf7ef36253cc4ae33649852f0219129b62bb0c4067b9eab23bcf0004775a38b42eebfbe86770c94c10fc2144ea65254bdb6731d2600319e9a4c408dce4
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
7KB
MD51bc57e283853405c373fd1f9d33a9f55
SHA1d54a845dbfae18f9ff10cf42667ae7ae47cad875
SHA2569eb1fd1fe2675281af51cf309c8a57303ca6b43a54257ded1cc941c5e6dc2e15
SHA5125b06b1a39835b2971f6aa3806bf395afb010b1e72a163a68001faa37f3ec0fe197ae069917671b49d1c12d315a79cb8fcde3b3a91eb5a029da9bd777170e93c5
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
2.9MB
-
Filesize
5.0MB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
5.0MB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
1.2MB
-
Filesize
9.9MB
-
Filesize
40KB
-
Filesize
5.0MB
-
Filesize
32KB
-
Filesize
5.0MB