68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
Size

1.2MB
MD5

d05d34ccdcbb336c20de7f7f6f0b0962
SHA1

1cdc26cdce3415af40f8f18814e7e2184c458ea6
SHA256

68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5
SHA512

23f4b3ae69fd54ae7a0dfec2b6b94247ba67febb65e8ebd8190931776b8f762ede26cc20d2ac45d1a3e7cdd262f2e64668abcd6ca1766df4f604f51f7a593525
SSDEEP

24576:vlAzF5dI2vYKWb6Dsq3P3K4XY0esxUAUbwvaoslG45wyvCj8z7mwj:voep0hUbSklG45lvMcj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 7 IoCs

pid	Process
1708	svchcst.exe
816	svchcst.exe
1664	svchcst.exe
1104	svchcst.exe
4152	svchcst.exe
444	svchcst.exe
3012	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
816	svchcst.exe
816	svchcst.exe
1104	svchcst.exe
1708	svchcst.exe
1104	svchcst.exe
1708	svchcst.exe
3012	svchcst.exe
444	svchcst.exe
444	svchcst.exe
4152	svchcst.exe
4152	svchcst.exe
3012	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 4988	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	89
PID 3532 wrote to memory of 4988	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	89
PID 3532 wrote to memory of 4988	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	89
PID 3532 wrote to memory of 4048	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	91
PID 3532 wrote to memory of 4048	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	91
PID 3532 wrote to memory of 4048	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	91
PID 3532 wrote to memory of 2524	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	93
PID 3532 wrote to memory of 2524	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	93
PID 3532 wrote to memory of 2524	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	93
PID 3532 wrote to memory of 2904	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	88
PID 3532 wrote to memory of 2904	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	88
PID 3532 wrote to memory of 2904	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	88
PID 3532 wrote to memory of 4912	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	90
PID 3532 wrote to memory of 4912	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	90
PID 3532 wrote to memory of 4912	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	90
PID 3532 wrote to memory of 1760	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	92
PID 3532 wrote to memory of 1760	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	92
PID 3532 wrote to memory of 1760	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	92
PID 3532 wrote to memory of 3528	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	94
PID 3532 wrote to memory of 3528	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	94
PID 3532 wrote to memory of 3528	3532	68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe	94
PID 1760 wrote to memory of 1708	1760	WScript.exe	96
PID 1760 wrote to memory of 1708	1760	WScript.exe	96
PID 1760 wrote to memory of 1708	1760	WScript.exe	96
PID 4048 wrote to memory of 816	4048	WScript.exe	97
PID 4048 wrote to memory of 816	4048	WScript.exe	97
PID 4048 wrote to memory of 816	4048	WScript.exe	97
PID 4988 wrote to memory of 1664	4988	WScript.exe	102
PID 4988 wrote to memory of 1664	4988	WScript.exe	102
PID 4988 wrote to memory of 1664	4988	WScript.exe	102
PID 3528 wrote to memory of 1104	3528	WScript.exe	101
PID 3528 wrote to memory of 1104	3528	WScript.exe	101
PID 3528 wrote to memory of 1104	3528	WScript.exe	101
PID 2524 wrote to memory of 4152	2524	WScript.exe	100
PID 2524 wrote to memory of 4152	2524	WScript.exe	100
PID 2524 wrote to memory of 4152	2524	WScript.exe	100
PID 4912 wrote to memory of 444	4912	WScript.exe	98
PID 4912 wrote to memory of 444	4912	WScript.exe	98
PID 4912 wrote to memory of 444	4912	WScript.exe	98
PID 2904 wrote to memory of 3012	2904	WScript.exe	99
PID 2904 wrote to memory of 3012	2904	WScript.exe	99
PID 2904 wrote to memory of 3012	2904	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe
"C:\Users\Admin\AppData\Local\Temp\68ab3df89e2029da1a17349cf70b4c7e6df80656eb0505a4bf03709b0a9b39f5.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1664
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4152
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e63a81850e6571634a3315ffa663b492

SHA1
2cbdeb53fd73d212567de943af90e46b14da6bb2

SHA256
256213656a680c542c902086c031604e21e2f329aa4cbf95bc8946b8915f0935

SHA512
a3636f9f0e36d696999d653deb99ea660b2485bf3fd645775468e85efc1468d56f793cc598657bb5106621fd8a1e0f670409d57f2d95661c5d89538c73fdd10a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e63a81850e6571634a3315ffa663b492

SHA1
2cbdeb53fd73d212567de943af90e46b14da6bb2

SHA256
256213656a680c542c902086c031604e21e2f329aa4cbf95bc8946b8915f0935

SHA512
a3636f9f0e36d696999d653deb99ea660b2485bf3fd645775468e85efc1468d56f793cc598657bb5106621fd8a1e0f670409d57f2d95661c5d89538c73fdd10a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
e571c48548692888389f57ec7a911d11

SHA1
33e9b52c27cbaab8aa4be4c59edeef934aa8fe67

SHA256
a01abd8b32edee2f01a3b15d3acebc6ca24110fa28397b84bb5952b4720cad49

SHA512
d53ceeb58f002af56f8072a130ed42c6666cb163ab423ce743f8088ecb0d964b11bdad5f047b76138fa2547f6297f61324bc89a701f0bdeb2f3743ff900a1420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
e571c48548692888389f57ec7a911d11

SHA1
33e9b52c27cbaab8aa4be4c59edeef934aa8fe67

SHA256
a01abd8b32edee2f01a3b15d3acebc6ca24110fa28397b84bb5952b4720cad49

SHA512
d53ceeb58f002af56f8072a130ed42c6666cb163ab423ce743f8088ecb0d964b11bdad5f047b76138fa2547f6297f61324bc89a701f0bdeb2f3743ff900a1420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
e571c48548692888389f57ec7a911d11

SHA1
33e9b52c27cbaab8aa4be4c59edeef934aa8fe67

SHA256
a01abd8b32edee2f01a3b15d3acebc6ca24110fa28397b84bb5952b4720cad49

SHA512
d53ceeb58f002af56f8072a130ed42c6666cb163ab423ce743f8088ecb0d964b11bdad5f047b76138fa2547f6297f61324bc89a701f0bdeb2f3743ff900a1420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
e571c48548692888389f57ec7a911d11

SHA1
33e9b52c27cbaab8aa4be4c59edeef934aa8fe67

SHA256
a01abd8b32edee2f01a3b15d3acebc6ca24110fa28397b84bb5952b4720cad49

SHA512
d53ceeb58f002af56f8072a130ed42c6666cb163ab423ce743f8088ecb0d964b11bdad5f047b76138fa2547f6297f61324bc89a701f0bdeb2f3743ff900a1420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
e571c48548692888389f57ec7a911d11

SHA1
33e9b52c27cbaab8aa4be4c59edeef934aa8fe67

SHA256
a01abd8b32edee2f01a3b15d3acebc6ca24110fa28397b84bb5952b4720cad49

SHA512
d53ceeb58f002af56f8072a130ed42c6666cb163ab423ce743f8088ecb0d964b11bdad5f047b76138fa2547f6297f61324bc89a701f0bdeb2f3743ff900a1420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
e571c48548692888389f57ec7a911d11

SHA1
33e9b52c27cbaab8aa4be4c59edeef934aa8fe67

SHA256
a01abd8b32edee2f01a3b15d3acebc6ca24110fa28397b84bb5952b4720cad49

SHA512
d53ceeb58f002af56f8072a130ed42c6666cb163ab423ce743f8088ecb0d964b11bdad5f047b76138fa2547f6297f61324bc89a701f0bdeb2f3743ff900a1420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
e571c48548692888389f57ec7a911d11

SHA1
33e9b52c27cbaab8aa4be4c59edeef934aa8fe67

SHA256
a01abd8b32edee2f01a3b15d3acebc6ca24110fa28397b84bb5952b4720cad49

SHA512
d53ceeb58f002af56f8072a130ed42c6666cb163ab423ce743f8088ecb0d964b11bdad5f047b76138fa2547f6297f61324bc89a701f0bdeb2f3743ff900a1420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
e571c48548692888389f57ec7a911d11

SHA1
33e9b52c27cbaab8aa4be4c59edeef934aa8fe67

SHA256
a01abd8b32edee2f01a3b15d3acebc6ca24110fa28397b84bb5952b4720cad49

SHA512
d53ceeb58f002af56f8072a130ed42c6666cb163ab423ce743f8088ecb0d964b11bdad5f047b76138fa2547f6297f61324bc89a701f0bdeb2f3743ff900a1420

Download Submit