787d6b2a2247123768f676429c061b31c09f342f324f142d6e4b7c2c908e396d

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 17:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

run.vbs
Size

1KB
MD5

4a12877f6d34551fd60bcf7069182ddd
SHA1

346940791f044fcbc86d232b59a9f186690e343d
SHA256

787d6b2a2247123768f676429c061b31c09f342f324f142d6e4b7c2c908e396d
SHA512

f563bfb06bbed046cc7b996b27893ccd68b98db770046bc50b8630f71074c319da8416643351048c6c3d926375634ccdabb62ce1dacbe9f9b26f39a31d06a8b1

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
852	icacls.exe
2240	takeown.exe
2184	icacls.exe
2408	takeown.exe
1688	icacls.exe
2288	takeown.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2184	icacls.exe
2408	takeown.exe
1688	icacls.exe
2288	takeown.exe
852	icacls.exe
2240	takeown.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\hal.dll	WScript.exe
File opened for modification	C:\Windows\System32\taskmgr.exe	WScript.exe
File opened for modification	\??\c:\windows\system32\notepad.exe	rundll32.exe
File opened for modification	C:\Windows\System32\notepad.exe	firefox.exe
File opened for modification	\??\c:\windows\system32\notepad.exe	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\notepad.exe	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2440	rundll32.exe
2732	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2288	takeown.exe
Token: SeTakeOwnershipPrivilege	2240	takeown.exe
Token: SeTakeOwnershipPrivilege	2408	takeown.exe
Token: SeDebugPrivilege	1616	firefox.exe
Token: SeDebugPrivilege	1616	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1616	firefox.exe
1616	firefox.exe
1616	firefox.exe
1616	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1616	firefox.exe
1616	firefox.exe
1616	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1616	firefox.exe
1616	firefox.exe
1616	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2984	2368	WScript.exe	30
PID 2368 wrote to memory of 2984	2368	WScript.exe	30
PID 2368 wrote to memory of 2984	2368	WScript.exe	30
PID 2368 wrote to memory of 2940	2368	WScript.exe	32
PID 2368 wrote to memory of 2940	2368	WScript.exe	32
PID 2368 wrote to memory of 2940	2368	WScript.exe	32
PID 2940 wrote to memory of 2288	2940	cmd.exe	34
PID 2940 wrote to memory of 2288	2940	cmd.exe	34
PID 2940 wrote to memory of 2288	2940	cmd.exe	34
PID 2940 wrote to memory of 852	2940	cmd.exe	35
PID 2940 wrote to memory of 852	2940	cmd.exe	35
PID 2940 wrote to memory of 852	2940	cmd.exe	35
PID 2368 wrote to memory of 820	2368	WScript.exe	36
PID 2368 wrote to memory of 820	2368	WScript.exe	36
PID 2368 wrote to memory of 820	2368	WScript.exe	36
PID 820 wrote to memory of 2240	820	cmd.exe	38
PID 820 wrote to memory of 2240	820	cmd.exe	38
PID 820 wrote to memory of 2240	820	cmd.exe	38
PID 820 wrote to memory of 2184	820	cmd.exe	39
PID 820 wrote to memory of 2184	820	cmd.exe	39
PID 820 wrote to memory of 2184	820	cmd.exe	39
PID 2368 wrote to memory of 1888	2368	WScript.exe	40
PID 2368 wrote to memory of 1888	2368	WScript.exe	40
PID 2368 wrote to memory of 1888	2368	WScript.exe	40
PID 1888 wrote to memory of 2408	1888	cmd.exe	42
PID 1888 wrote to memory of 2408	1888	cmd.exe	42
PID 1888 wrote to memory of 2408	1888	cmd.exe	42
PID 1888 wrote to memory of 1688	1888	cmd.exe	43
PID 1888 wrote to memory of 1688	1888	cmd.exe	43
PID 1888 wrote to memory of 1688	1888	cmd.exe	43
PID 2440 wrote to memory of 1656	2440	rundll32.exe	49
PID 2440 wrote to memory of 1656	2440	rundll32.exe	49
PID 2440 wrote to memory of 1656	2440	rundll32.exe	49
PID 1656 wrote to memory of 1616	1656	firefox.exe	50
PID 1656 wrote to memory of 1616	1656	firefox.exe	50
PID 1656 wrote to memory of 1616	1656	firefox.exe	50
PID 1656 wrote to memory of 1616	1656	firefox.exe	50
PID 1656 wrote to memory of 1616	1656	firefox.exe	50
PID 1656 wrote to memory of 1616	1656	firefox.exe	50
PID 1656 wrote to memory of 1616	1656	firefox.exe	50
PID 1656 wrote to memory of 1616	1656	firefox.exe	50
PID 1656 wrote to memory of 1616	1656	firefox.exe	50
PID 1656 wrote to memory of 1616	1656	firefox.exe	50
PID 1656 wrote to memory of 1616	1656	firefox.exe	50
PID 1656 wrote to memory of 1616	1656	firefox.exe	50
PID 1616 wrote to memory of 2112	1616	firefox.exe	51
PID 1616 wrote to memory of 2112	1616	firefox.exe	51
PID 1616 wrote to memory of 2112	1616	firefox.exe	51
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52
PID 1616 wrote to memory of 2816	1616	firefox.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2984	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +h +s C:\Users\Admin\Desktop\hidden
  2⤵
  - Views/modifies file attributes
  PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "takeown /f C:\Windows\notepad.exe >nul && icacls C:\Windows\notepad.exe /grant everyone:(f) >nul"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\notepad.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\notepad.exe /grant everyone:(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "takeown /f C:\Windows\System32\hal.dll >nul && icacls C:\Windows\System32\hal.dll /grant everyone:(f) >nul"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\hal.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\hal.dll /grant everyone:(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "takeown /f C:\Windows\System32\taskmgr.exe >nul && icacls C:\Windows\System32\taskmgr.exe /grant everyone:(f) >nul"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\taskmgr.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\taskmgr.exe /grant everyone:(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1688

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:688

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\hal.dll
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Windows\System32\hal.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Windows\System32\hal.dll
    3⤵
    - Drops file in System32 directory
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.0.656374580\2006688567" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {edb2c812-6975-4499-9419-d3a270e64ca8} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 1280 119cdc58 gpu
      4⤵
      PID:2112
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.1.1750358990\127089309" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1464 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10709ddd-e549-442e-8697-0ebdada1d19a} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 1496 e72258 socket
      4⤵
      Checks processor information in registry
      PID:2816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.2.1648460901\1005394677" -childID 1 -isForBrowser -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95d22bd0-2255-462d-bdf7-e727616db6b5} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 2392 1a014d58 tab
      4⤵
      PID:2088
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.3.810764063\1467449597" -childID 2 -isForBrowser -prefsHandle 2824 -prefMapHandle 2820 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0139c80f-049f-40dc-a379-70b94a8d6f30} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 2836 e62858 tab
      4⤵
      PID:2272
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.4.1084919969\1979780547" -childID 3 -isForBrowser -prefsHandle 3680 -prefMapHandle 2852 -prefsLen 26450 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f70fec9e-7987-4d3c-873d-815efd921d32} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 3676 e68d58 tab
      4⤵
      PID:2648
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.5.93157345\1360036288" -childID 4 -isForBrowser -prefsHandle 3800 -prefMapHandle 3804 -prefsLen 26450 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3abb2cba-f6df-4d07-aa73-abce6607763a} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 3780 1a0f6558 tab
      4⤵
      PID:2660
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.6.1026931705\1595915337" -childID 5 -isForBrowser -prefsHandle 3984 -prefMapHandle 3988 -prefsLen 26450 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff326511-e45a-445b-8d34-cfe256c96be6} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 3972 1f760858 tab
      4⤵
      PID:1104

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\hal.dll
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\activity-stream.discovery_stream.json.tmp

Filesize
28KB

MD5
eecf700c099af2ed3c8da0c82b732998

SHA1
77f729f47e709ce7c5cd9ad24827fed72a0369b5

SHA256
79fc4cd8b2e6b110f13d4432bbdfca6ff4195d1176af4607ae7c7757a0f1c5ee

SHA512
4ae083ce4bb53ba9cf5592faaf1d1a92ce834e841d5a4d1859b9302871a348306c7cf6c925dd30eb0a504cc0415db7acf4c608d3de9078794eb480648e5986dc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\activity-stream.discovery_stream.json.tmp

Filesize
28KB

MD5
8c13242def5b543361b862efb3e9cc1d

SHA1
bf49af8e26a1a12019af9f78e4af93e2a29d9831

SHA256
d907232ecc175577ed3242247f1a54ec029fca5609d268c838f2d34d6fb7c1ec

SHA512
b5130cbd99635d529fcaf8ae0b4d9e1eff5436768a016abe564083ecdb6007a122450a6a5dac0dbdfbd03d91b323b0f2db1daf5ded7147582c29cb7860552dc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
ade84a2d3b54706be9d893cc566f06ca

SHA1
a4d968f06e6a6ccb00087d7353a41fe89437a872

SHA256
4a6f39bfd271bae7ec552e006b37a1e036d33be0d7bb188ad9cbcb55dff607ec

SHA512
a6b4fb97d0f11cd267ce4cf6d9bcc7ebbc6462e74eb1ed32027751199c3cfa2be2b731bf85d353007b02a1095309c3e223dac0671190c6c4408f208a31019591

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\4fbd3988-73ab-432c-be65-7d80356ec456

Filesize
733B

MD5
4f8d7873ad142a9825daf3b220c67132

SHA1
6892109c7cb3b8fe19796662f2f920e9b039bc11

SHA256
9272f4b5e03038abdc9df11cab1d8c60e06d005beca5c80de2ce08fe69c27183

SHA512
b877e5a9c8c1fa3a3f188cc4c8e73c908c67c758aae8b9cd058939f7784d444ac3f4ce4b6e8dcf4dfe102e78683e7c1a0755d0397b0baf9887a8c489f5165582

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js

Filesize
6KB

MD5
bb4d375910c382a62a131b9dd4abede9

SHA1
fdd1cc55054d9214cfe1d7e42b28b43521d80ce3

SHA256
d471c64594aa24d9c3fb5b52a5b5ee18271f0a4a25b9d2326c850aa1590e096e

SHA512
587ded6cad74fea8b0f35a9c51cd400343754ffc6438736c726f70316715027db7ff773fda55750d3f7c87de63ae9feec817aaec388a1e4fec90c19ffa2aa6a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js

Filesize
6KB

MD5
8d9342354e8b5ead8d4053e5431d0257

SHA1
dac342bd2c7f172a177390b466621efa56fd5e1d

SHA256
db00aa5bdee566015495746e47bc8d160fc32cc22530ac5859cdb61274dc42b0

SHA512
372c9a971136b35faf1241dd67b24c234686f25c3628d7b66f11ab36a44e08b54e1022418dbb0e883d8d01cf9c1c068cf1ca0b8d44ce63500b0e48fa781ad7a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore.jsonlz4

Filesize
576B

MD5
2e12db75aae3f30eb66c3dcb0c9febb4

SHA1
3f10677aabac90b1bd13d717c008380b559892fe

SHA256
be1a096940e006a4be7e567f0ccfe1e0b4c1807f447b92f36080f1550495889e

SHA512
d3ad34d6cd0686ff548d346f97d0e1bfa989aff14bb780944a14a5e381063670597befba05c73e811513bdfabc6d6484046cd76f413f05150e3bc07a93b293a0

Download Submit
C:\Users\Admin\Desktop\12609046697617.txt

Filesize
88B

MD5
7aef68e2af6f0920e4cb77bae346e7a9

SHA1
b06a9ed8e070a544517ecdebf18b152db886b458

SHA256
6dd7f47a542c937ba2367fbff3396ccf69033e3eca4916485b20eb60a3c7bee5

SHA512
6e1966f909cda7748720def41e54b075e58f3cc788230e291796a66694531727560a9d74a19a4d646894c1adf07ab29fe2972998c27f4df1157f1b6d916f4025

Download Submit