37b74647f6268f2ac1c8fdf729da27871af55d0fac0874e3568f75a8d44e35bb

Analysis

max time kernel
151s
max time network
128s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b63ceee432db98368c63d184cc5b43e0.exe
Size

436KB
MD5

b63ceee432db98368c63d184cc5b43e0
SHA1

d65f91820b8a1bcb184f74bd29b1064318bd1df5
SHA256

37b74647f6268f2ac1c8fdf729da27871af55d0fac0874e3568f75a8d44e35bb
SHA512

c534dcd220f67078c34c6ca0391c34d357669dfaa05578e26b4663edc97d9bab93125f3f2ed460cfe76c4be1eeea8faf3280b44d8e7d646e70f31b4232a8cbaf
SSDEEP

6144:8vEN2U+T6i5LirrllHy4HUcMQY6Pj5q8deoJVP6Y0YB3YFy:OENN+T5xYrllrU7QY6U8zVP6Y53B

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2728	explorer.exe
2780	spoolsv.exe
2096	svchost.exe
2788	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1396	NEAS.b63ceee432db98368c63d184cc5b43e0.exe
1396	NEAS.b63ceee432db98368c63d184cc5b43e0.exe
2728	explorer.exe
2728	explorer.exe
2780	spoolsv.exe
2780	spoolsv.exe
2096	svchost.exe
2096	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	NEAS.b63ceee432db98368c63d184cc5b43e0.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1396	NEAS.b63ceee432db98368c63d184cc5b43e0.exe
2728	explorer.exe
2728	explorer.exe
2728	explorer.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2728	explorer.exe
2096	svchost.exe
2096	svchost.exe
2728	explorer.exe
2728	explorer.exe
2096	svchost.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2728	explorer.exe
2096	svchost.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2728	explorer.exe
2096	svchost.exe
2096	svchost.exe
2728	explorer.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe
2728	explorer.exe
2096	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2728	explorer.exe
2096	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1396	NEAS.b63ceee432db98368c63d184cc5b43e0.exe
1396	NEAS.b63ceee432db98368c63d184cc5b43e0.exe
2728	explorer.exe
2728	explorer.exe
2780	spoolsv.exe
2780	spoolsv.exe
2096	svchost.exe
2096	svchost.exe
2788	spoolsv.exe
2788	spoolsv.exe
2728	explorer.exe
2728	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 2728	1396	NEAS.b63ceee432db98368c63d184cc5b43e0.exe	28
PID 1396 wrote to memory of 2728	1396	NEAS.b63ceee432db98368c63d184cc5b43e0.exe	28
PID 1396 wrote to memory of 2728	1396	NEAS.b63ceee432db98368c63d184cc5b43e0.exe	28
PID 1396 wrote to memory of 2728	1396	NEAS.b63ceee432db98368c63d184cc5b43e0.exe	28
PID 2728 wrote to memory of 2780	2728	explorer.exe	29
PID 2728 wrote to memory of 2780	2728	explorer.exe	29
PID 2728 wrote to memory of 2780	2728	explorer.exe	29
PID 2728 wrote to memory of 2780	2728	explorer.exe	29
PID 2780 wrote to memory of 2096	2780	spoolsv.exe	30
PID 2780 wrote to memory of 2096	2780	spoolsv.exe	30
PID 2780 wrote to memory of 2096	2780	spoolsv.exe	30
PID 2780 wrote to memory of 2096	2780	spoolsv.exe	30
PID 2096 wrote to memory of 2788	2096	svchost.exe	31
PID 2096 wrote to memory of 2788	2096	svchost.exe	31
PID 2096 wrote to memory of 2788	2096	svchost.exe	31
PID 2096 wrote to memory of 2788	2096	svchost.exe	31
PID 2096 wrote to memory of 2552	2096	svchost.exe	32
PID 2096 wrote to memory of 2552	2096	svchost.exe	32
PID 2096 wrote to memory of 2552	2096	svchost.exe	32
PID 2096 wrote to memory of 2552	2096	svchost.exe	32
PID 2096 wrote to memory of 2896	2096	svchost.exe	36
PID 2096 wrote to memory of 2896	2096	svchost.exe	36
PID 2096 wrote to memory of 2896	2096	svchost.exe	36
PID 2096 wrote to memory of 2896	2096	svchost.exe	36
PID 2096 wrote to memory of 2024	2096	svchost.exe	39
PID 2096 wrote to memory of 2024	2096	svchost.exe	39
PID 2096 wrote to memory of 2024	2096	svchost.exe	39
PID 2096 wrote to memory of 2024	2096	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\NEAS.b63ceee432db98368c63d184cc5b43e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b63ceee432db98368c63d184cc5b43e0.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2552
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2024

C:\Windows\system32\taskeng.exe
taskeng.exe {E202FC12-D8DF-4A6D-A44F-675AF2BAA5A5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
436KB

MD5
72bf1dc947e78ce78833e32c625819c7

SHA1
81e9b16abd00fda866eb753206562a935c98befa

SHA256
23cf8279331a71f6986d6d9bb64c0e491ca4cb0e7db6980b2ecabd05cad1dcb6

SHA512
e734bb883658cdb722eea0b15abe1ab07031979988402b691d3ace48d582856db1d914192df846bde857f996b4a3ea8ed56c8cc68843e64dcea524855d0c54d9

Download Submit
C:\Windows\system\explorer.exe

Filesize
436KB

MD5
16618dbfde03f16835752217c224c539

SHA1
ade73cbc510ca1a3af1fd4c8f691da258e7b2a35

SHA256
05bf15be0803913760c658f6b716ae9e0cc543cd604e2e1f2b9c0477424c8197

SHA512
d03c73a1a4d90d8ed0c9f3b76a3d2b9b7d9b16982b048c830926fee362d00ea3dc2a7771f0b817f8bfc82d98965f05d4864d265fb41aaf4aa94211141c131244

Download Submit
C:\Windows\system\explorer.exe

Filesize
436KB

MD5
16618dbfde03f16835752217c224c539

SHA1
ade73cbc510ca1a3af1fd4c8f691da258e7b2a35

SHA256
05bf15be0803913760c658f6b716ae9e0cc543cd604e2e1f2b9c0477424c8197

SHA512
d03c73a1a4d90d8ed0c9f3b76a3d2b9b7d9b16982b048c830926fee362d00ea3dc2a7771f0b817f8bfc82d98965f05d4864d265fb41aaf4aa94211141c131244

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
436KB

MD5
cad4e6992bc0006cecaa0d44ecbb0012

SHA1
9954e4e2de5d081d24b940cc53ac3aa7b96854fb

SHA256
5444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79

SHA512
014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
436KB

MD5
cad4e6992bc0006cecaa0d44ecbb0012

SHA1
9954e4e2de5d081d24b940cc53ac3aa7b96854fb

SHA256
5444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79

SHA512
014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa

Download Submit
C:\Windows\system\svchost.exe

Filesize
436KB

MD5
fd2fc113e7f23484052c796f4cab0f32

SHA1
0b94d96179c081b65eb72d5231e9b176d4649b76

SHA256
d69da19dceb67c03c0c76847f133cceb23fa9c7ee2444bf42762dd2fc3b5d035

SHA512
7585e2609c54925653c0deb3959bf49723baaac3ab2e50fe9fc8abb4fde3d03679fe18ddb11a12352b08ecff05e9d921626f9ae13ed3562a7185c494f5653f33

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
436KB

MD5
16618dbfde03f16835752217c224c539

SHA1
ade73cbc510ca1a3af1fd4c8f691da258e7b2a35

SHA256
05bf15be0803913760c658f6b716ae9e0cc543cd604e2e1f2b9c0477424c8197

SHA512
d03c73a1a4d90d8ed0c9f3b76a3d2b9b7d9b16982b048c830926fee362d00ea3dc2a7771f0b817f8bfc82d98965f05d4864d265fb41aaf4aa94211141c131244

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
436KB

MD5
cad4e6992bc0006cecaa0d44ecbb0012

SHA1
9954e4e2de5d081d24b940cc53ac3aa7b96854fb

SHA256
5444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79

SHA512
014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
436KB

MD5
fd2fc113e7f23484052c796f4cab0f32

SHA1
0b94d96179c081b65eb72d5231e9b176d4649b76

SHA256
d69da19dceb67c03c0c76847f133cceb23fa9c7ee2444bf42762dd2fc3b5d035

SHA512
7585e2609c54925653c0deb3959bf49723baaac3ab2e50fe9fc8abb4fde3d03679fe18ddb11a12352b08ecff05e9d921626f9ae13ed3562a7185c494f5653f33

Download Submit
\Windows\system\explorer.exe

Filesize
436KB

MD5
16618dbfde03f16835752217c224c539

SHA1
ade73cbc510ca1a3af1fd4c8f691da258e7b2a35

SHA256
05bf15be0803913760c658f6b716ae9e0cc543cd604e2e1f2b9c0477424c8197

SHA512
d03c73a1a4d90d8ed0c9f3b76a3d2b9b7d9b16982b048c830926fee362d00ea3dc2a7771f0b817f8bfc82d98965f05d4864d265fb41aaf4aa94211141c131244

Download Submit
\Windows\system\explorer.exe

Filesize
436KB

MD5
16618dbfde03f16835752217c224c539

SHA1
ade73cbc510ca1a3af1fd4c8f691da258e7b2a35

SHA256
05bf15be0803913760c658f6b716ae9e0cc543cd604e2e1f2b9c0477424c8197

SHA512
d03c73a1a4d90d8ed0c9f3b76a3d2b9b7d9b16982b048c830926fee362d00ea3dc2a7771f0b817f8bfc82d98965f05d4864d265fb41aaf4aa94211141c131244

Download Submit
\Windows\system\spoolsv.exe

Filesize
436KB

MD5
cad4e6992bc0006cecaa0d44ecbb0012

SHA1
9954e4e2de5d081d24b940cc53ac3aa7b96854fb

SHA256
5444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79

SHA512
014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa

Download Submit
\Windows\system\spoolsv.exe

Filesize
436KB

MD5
cad4e6992bc0006cecaa0d44ecbb0012

SHA1
9954e4e2de5d081d24b940cc53ac3aa7b96854fb

SHA256
5444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79

SHA512
014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa

Download Submit
\Windows\system\spoolsv.exe

Filesize
436KB

MD5
cad4e6992bc0006cecaa0d44ecbb0012

SHA1
9954e4e2de5d081d24b940cc53ac3aa7b96854fb

SHA256
5444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79

SHA512
014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa

Download Submit
\Windows\system\spoolsv.exe

Filesize
436KB

MD5
cad4e6992bc0006cecaa0d44ecbb0012

SHA1
9954e4e2de5d081d24b940cc53ac3aa7b96854fb

SHA256
5444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79

SHA512
014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa

Download Submit
\Windows\system\svchost.exe

Filesize
436KB

MD5
fd2fc113e7f23484052c796f4cab0f32

SHA1
0b94d96179c081b65eb72d5231e9b176d4649b76

SHA256
d69da19dceb67c03c0c76847f133cceb23fa9c7ee2444bf42762dd2fc3b5d035

SHA512
7585e2609c54925653c0deb3959bf49723baaac3ab2e50fe9fc8abb4fde3d03679fe18ddb11a12352b08ecff05e9d921626f9ae13ed3562a7185c494f5653f33

Download Submit
\Windows\system\svchost.exe

Filesize
436KB

MD5
fd2fc113e7f23484052c796f4cab0f32

SHA1
0b94d96179c081b65eb72d5231e9b176d4649b76

SHA256
d69da19dceb67c03c0c76847f133cceb23fa9c7ee2444bf42762dd2fc3b5d035

SHA512
7585e2609c54925653c0deb3959bf49723baaac3ab2e50fe9fc8abb4fde3d03679fe18ddb11a12352b08ecff05e9d921626f9ae13ed3562a7185c494f5653f33

Download Submit