Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/03/2025, 06:08
General
-
Target
231f156f9f4b328156bcb91a17f2a636.exe
-
Size
3.0MB
-
MD5
231f156f9f4b328156bcb91a17f2a636
-
SHA1
4a152cf18df6e69aae5dc7188dc29cae5d58c062
-
SHA256
703c6e6e766b8454ab69233c17b178c5e8cf75367a99195b00f969f0896ed15f
-
SHA512
bbd3e640ad27a495b3c967c6d69951f061b70da3205416a547da735c003ada40e7ea64de0cf3652756f7cb07d957dfb00ee1e71d70ddddabd5a9e19546301136
-
SSDEEP
49152:q/3iuoi0xrLIy5sx+3K0n+B87/2bHJC3H0oJK7rohky64a65KKRD:4SuMxAxKp+SDqHJq+zy86A
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
DCRat payload 5 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 10 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\231f156f9f4b328156bcb91a17f2a636.exe"C:\Users\Admin\AppData\Local\Temp\231f156f9f4b328156bcb91a17f2a636.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\231f156f9f4b328156bcb91a17f2a636.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WMIADAP.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\audiodg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\OSPPSVC.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fwAG7KGXHJ.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a0d1024-97d9-4b72-8b00-6a333b5b8e51.vbs"4⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\baff45db-b334-45ab-95c4-f163053e9db9.vbs"4⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:12261/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2288 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\NetworkService\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\NetworkService\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\twain_32\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Downloads\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5231f156f9f4b328156bcb91a17f2a636
SHA14a152cf18df6e69aae5dc7188dc29cae5d58c062
SHA256703c6e6e766b8454ab69233c17b178c5e8cf75367a99195b00f969f0896ed15f
SHA512bbd3e640ad27a495b3c967c6d69951f061b70da3205416a547da735c003ada40e7ea64de0cf3652756f7cb07d957dfb00ee1e71d70ddddabd5a9e19546301136
-
Filesize
3.0MB
MD5c38d7a50f2ec7420ce214c14aa3085a9
SHA1f3aba002960a9151f8ffe352c12d1fa5d1d1fb2c
SHA2567052b709b8ac8580bdccfddbffc4c7ead1347ca3119036ad912e3b9dbb9e3b76
SHA5123cb84ec5ae8d82665c476e9a8353de3a72e9ed8a650be67b2bea4456de82bc18cf5f4f5c3db17da9ad0293854d7d7deb79bb25823f8d7c5fc1ef401b3665e5ec
-
Filesize
344B
MD523eaf1d778cc9a78f4fdd0dda0b6ffad
SHA1b481ccfadeac8f494f3a82035216ebccdb249164
SHA256643eae3e7a7f08df7ba6efc0b0b1d74602feb0aa65fc1ece36b19d367d35c0b3
SHA5120169524fa2a170be50684020dee9d872296a67a4f71756fb5a610783881e0e751e58fede7a911d0ef69943e0012f328e3d06621e01d8ef9ec98084587b914b48
-
Filesize
344B
MD51ed92560381bec36e3cf69a0d24118ae
SHA1a62c4742ca1212706f5d1baa159234027272242a
SHA25688106a41995a127df3752a6e17e05428a9d7e68200c8e91f305f1d6b8f0c2363
SHA512226e60e6d9728638d025bc9887d9c22ff9f18a147e688c920010e08e9484beaa514ef694c9929faacc6b71951362b303c81ee2b8dbb00e89fedf699c6d4ed0dd
-
Filesize
344B
MD5f9b1769b5e7fb9d8f46021b7a6061177
SHA12e4ab736bb699bb89afb735dbb57ba9036f38611
SHA256a69a67be0b5277e0d754917b4ce0f5e9e84b757b162da7d433ed789104ce4588
SHA5124b7b224afda662e1ac82a1e0de389115c1afe439484097c82e62b640cd7700a5aa20e8e2e10cefbe7cc76a48b588987d3c5c63d395100e012a06faf4431fd97f
-
Filesize
344B
MD56932bfe2f2a609bc9652cf37527dd7b7
SHA1713624daa581682920e18bdc28138dd93482b05a
SHA256c2c767f8fdc6c2c6925218f986b2958a8421aa791133eea039c54dc9464879ff
SHA512809755375b9fcf486db750c481f3664d6331382ee8c74d1c14fc096e0a7461e90d60b871b9bd466ab92b0a7c4a46d23000be12c40485c4dbbd7e89255552a18d
-
Filesize
344B
MD5690b85590436a41c42dc870aec2c3fc9
SHA1c86526a042475317a8c224a5eba0111196aaf41f
SHA2563c775934be89f7bfa7124ee5ac237a03e98bf2ccd262c9f3e30e0fcb8d9c8582
SHA512b50c34a2f210d14eadfe6d0776d0b5e05a0d4eb2cd7d065b21afe5344427f5cea3b0b950b71eb470943e0af5cae92aaae5581b3803aa878cacb009da9f1e146a
-
Filesize
344B
MD532f9bd479e99bd1a24e195888ea5b04a
SHA1cb2fa4c4f607846bdaf31ee9e2954c8083adeeff
SHA256c3fde2c0755eca4e885bc1ff0e03d1d3162e10c32ce42b12bea52ee9ce5e091c
SHA512cf511b5b1c46bd07abb37a90957e780fcb9112bd83cbb9984010f728c3d0579e65f5507596166e30e7a41b234ae7189f54fea6aaada6f7fa5b4ce2dbda7b3c19
-
Filesize
344B
MD57e16b11c85c478b0cbb6fb8ba6a3f39b
SHA1da997c5b3c517d454cce1528bb2512c16d9ecd47
SHA2561876b0b15f429fce1c15b92b9dd51e1964dc615a098428e5deb25cbe6e1a4a6a
SHA512da7875d74da130cf7b54b5779cd654c9c915a7131e0c81789e5d11e63d5fc697fb64e67b828f67e0de07fa15c52531bd4e651f4486a3e2e40ccd749d1602e945
-
Filesize
747B
MD597e06fa0d7f0d451a86be574b91884cd
SHA11e58e5264e206d95eea30c297252480dd114f961
SHA2560b8c7f112b268f653f4a23159388f51fba0861c473e8c62919ebb25a6f961fa9
SHA512ea5881ebafb76f331e7a9bcc5f17bc21d26043ff65e25686c77265a4bcaffdd4f66daab1638fa3d50ce7814eb468b15744bdaf04c457c4b5096425f42b5bca58
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
523B
MD56c7270c4e624e72fdbc44f2a96ce6f6c
SHA1eb9e77a5298cc671651b69cace6d5c74577588c9
SHA256f365ee2020c712f6867b575e0d94dd5eac90f2223e397d1f7cef581e3e6fdd62
SHA51222b562d91d97bf21603f2d0ccd78cc8fceaaf3eecc5deee605c86d1a7c0486de4985a11deed609833c0fdf21a386ab6da5e69df5d0b4e367e9915a9759a54122
-
Filesize
236B
MD5feff2c0e9601ba976ef02bd520591cc0
SHA199a745ce621d87dc3b9255bd19cd05530040712d
SHA256597480d8a638ada35229ee42d885e65bedf4f16cbee9379845e114ec78725036
SHA5127d09ad0e973d778873947465b83ce996655c314e2d2bbaf050ab79fc0e3e5479e0f4f5d4ae4b72ec2f51bd8596531b0aec1112600b2f0d8826a949cf37613fb5
-
Filesize
7KB
MD5644c2efa65447a83c2b04306eb405bf0
SHA1013a75b82ca112e0b80251d810d0eb01bcc08c37
SHA256c50b33a926354bab6de1d3cba70f6c088e8e41771677d108abc5df58662f2b47
SHA51244f417e03a069200c64392446d8f24e98019cb21e0c3bb0e36510237c8f8a63d3a80c7b3d99f5145cc23436418079e66a023bd7436d2e595568a37c88168aed1
-
Filesize
3.0MB
MD5663b205f58dd1b963e8ce3332643fda7
SHA1a53dfd08f2fa4722ff9f0b36b8bafa63d605985c
SHA256b036596b8e7f6acb1532ca7c38d198ac840ae9351f3a8d106c21d844e27792e3
SHA5124a911b78a8dd0b56fad984e5ee3c2ddc690f6015341f8a966b8fbaea8fb59742327154aa65ee76188da8ddd7e08f44441f590cd4d99ef63e3683335124b5495e
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
3.1MB